counting logins

[cybershit]

	
.............

else if(empty($password)){
		$errorMsg[]="please enter password";
	}
	else
	{
		try
		{
			$select_stmt=$db->prepare("SELECT * FROM tbl_user WHERE username=:uname OR email=:uemail");
			$select_stmt->execute(array(':uname'=>$username, ':uemail'=>$email));
			$row=$select_stmt->fetch(PDO::FETCH_ASSOC);
			
			if($select_stmt->rowCount() > 0)
			{
				if($username==$row["username"] OR $email==$row["email"])
				{
					if(password_verify($password, $row["password"]))
					{
						$_SESSION["user_login"] = $row["user_id"];
					
						//----------------
                        $pdo_statement=$db->prepare("update tbl_user set logins=7 where user_id=2");
        	            $result = $pdo_statement->execute();
						//----------------

						$loginMsg = "Successfully Login...";
						header("refresh:2; welcome.php");

					}
					else

hey guys iam starting to learn during this crysis php :-). I got stucked with this pdo style..... i like to count logins, i tryed and figured out i can use the id... but my  question is how  can replace this "where user_id=2" to get the specific ID for the current user login in? the count function i i know how to make the... first i want to know how to write the syntax  of this pdo......

thank you :-)

[Barand]

The same way that you did with the username and email in the first query.

[cybershit]

lol i got it....

$pdo_statement=$db->prepare("update tbl_user set logins=7  WHERE user_id = '".$_SESSION['user_login']['user_id']."';");

thank you SIR 🙂

 

lol the syntax is sometimes little crazy xDD

Edited May 18, 2020 by cybershit

[Barand]

1 ) That isn't how you did it in the first query.

2 ) It's wrong.

3 ) Never put variables into a query. That's why "prepare" is used.

[cybershit]

ah ok good to know ^^ than wait i have to raed little bit....

[gizmola]

1 hour ago, cybershit said:

update tbl_user set logins=7 WHERE user_id = '"

It is not complicated.  Use  a parameter:

$pdo_statement=$db->prepare("update tbl_user set logins=7 where user_id=:userId");
$result = $pdo_statement->execute(array(':userId' => $_SESSION['user_login']['user_id']));

Also, you do not ever need to have a ';' at the end of your SQL query.  Using the API is not the same as being in the mysql command line client -- each statement is going to be sent for you.  

[cybershit]

no you are right SIR  its not very complicated but the syntax is really crazy for beginner ......

 but i have one last question please...

$login_counter = $row['logins'] +1;

//------your code ----------
			
$pdo_statement=$db->prepare("update tbl_user set logins=$login_counter where user_id=:userId");
$result = $pdo_statement->execute(array(':userId' => $_SESSION['user_login']['user_id']));
         
// ------my code  ---------

$sql = $db->prepare("UPDATE tbl_user SET logins=$login_counter WHERE user_id = '".$_SESSION['user_login']['user_id']."';");
$sql->execute();

what is finally the difference in the point

3 ) Never put variables into a query. That's why "prepare" is used.

?

[Phi11W]

17 hours ago, cybershit said:

3 ) Never put variables into a query. That's why "prepare" is used.

?

Obligatory XKCD reference: Little Bobby Tables

Regards, 
   Phill  W.

[Barand]

18 hours ago, cybershit said:

what is finally the difference in the point

At the risk of stating the bleedin' obvious,

• the first set of code above uses a placeholder (:userId) and passes the user id value in the execute() call. This is the correct way to use prepare().
• The second puts the user id value directly into the query string.

BTW, you stored the user id in $_SESSION[''user_login'] and not in $_SESSION['user_login']['user_id'].