Jump to content

Please help me understand what I am doing wrong again.


Recommended Posts

Greetings again experts.

 

When users log in, they are directed to a particular page based on whether or not they have already registered before.

 

If the user is registered, s/he is redirected to a particular page indicating s/he is already registered with some information about the benefits of being a member.

 

If that user has not yet registered, s/he is redirected to registration form.

 

This is not working particularly well.

 

Example: here is the code that does the redirecting. By the way, I am using custom code for ms_escape_string()

   $strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join EmployeeData e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = '".ms_escape_string($_POST['user'])."'
	and PASSWORD = '".ms_escape_string($pass)."' ";
//	echo $strSQL;
	$sqll = sqlsrv_query($con, $strSQL);


if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
    $firstname = $objResult["empl_first"];
 	$_SESSION["firstname"] = $objResult["empl_first"];

header('location:registered.php?user=' . urlencode($firstname)); } else header("location:register.php?user='".ms_escape_string($_POST['user'])."'&pass='".ms_escape_string($_POST['pass'])."' ");

The problem I am having is with grabbing the values passed to register.php.

$strSQL = "SELECT u.empl_first, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join EmployeeData e on u.Employee_Id = e.EmpNum WHERE USERNAME = ? and PASSWORD = ? "; 
//echo $strSQL; 
$params = array($_GET["user"], $_GET["pass"] 
$sqll = sqlsrv_query($con, $strSQL, $params); 

When I use this code:

 

It works because my form gets populated with the records queried from the database but I know that code has sql injection attack written all over it.

 

However, when I use the following code,  my form is not getting populated. What could I be doing wrong?

 

 

 

Thanks a lot in advance for yoru help

Edited by sonnieboy
If that user has not yet registered, s/he is redirected to registration form.

 

 

if someone tries to log in and the entered username/password combination doesn't match, that doesn't mean they haven't registered. what if they miss-typed the value for either field? you would output a generic 'The username/password didn't match' message for this case and let them try to log in again.

 

if the current visitor is not logged in, you would provide a link to the registration page, near the login form, for them to click on if they desire to register.

 

If the user is registered, s/he is redirected to a particular page indicating s/he is already registered with some information about the benefits of being a member.

 

 

you would this when they register, not when they log in.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.