sonnieboy Posted September 15, 2016 Share Posted September 15, 2016 (edited) Greetings again experts. When users log in, they are directed to a particular page based on whether or not they have already registered before. If the user is registered, s/he is redirected to a particular page indicating s/he is already registered with some information about the benefits of being a member. If that user has not yet registered, s/he is redirected to registration form. This is not working particularly well. Example: here is the code that does the redirecting. By the way, I am using custom code for ms_escape_string() $strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join EmployeeData e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = '".ms_escape_string($_POST['user'])."' and PASSWORD = '".ms_escape_string($pass)."' "; // echo $strSQL; $sqll = sqlsrv_query($con, $strSQL); if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) { $firstname = $objResult["empl_first"]; $_SESSION["firstname"] = $objResult["empl_first"]; header('location:registered.php?user=' . urlencode($firstname)); } else header("location:register.php?user='".ms_escape_string($_POST['user'])."'&pass='".ms_escape_string($_POST['pass'])."' "); The problem I am having is with grabbing the values passed to register.php. $strSQL = "SELECT u.empl_first, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join EmployeeData e on u.Employee_Id = e.EmpNum WHERE USERNAME = ? and PASSWORD = ? "; //echo $strSQL; $params = array($_GET["user"], $_GET["pass"] $sqll = sqlsrv_query($con, $strSQL, $params); When I use this code: It works because my form gets populated with the records queried from the database but I know that code has sql injection attack written all over it. However, when I use the following code, my form is not getting populated. What could I be doing wrong? Thanks a lot in advance for yoru help Edited September 15, 2016 by sonnieboy Quote Link to comment https://forums.phpfreaks.com/topic/302196-please-help-me-understand-what-i-am-doing-wrong-again/ Share on other sites More sharing options...
mac_gyver Posted September 16, 2016 Share Posted September 16, 2016 If that user has not yet registered, s/he is redirected to registration form. if someone tries to log in and the entered username/password combination doesn't match, that doesn't mean they haven't registered. what if they miss-typed the value for either field? you would output a generic 'The username/password didn't match' message for this case and let them try to log in again. if the current visitor is not logged in, you would provide a link to the registration page, near the login form, for them to click on if they desire to register. If the user is registered, s/he is redirected to a particular page indicating s/he is already registered with some information about the benefits of being a member. you would this when they register, not when they log in. Quote Link to comment https://forums.phpfreaks.com/topic/302196-please-help-me-understand-what-i-am-doing-wrong-again/#findComment-1537650 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.