cerin Posted February 26, 2006 Share Posted February 26, 2006 I'm trying to get a password from a mysql database and compare it to the user's input, but I can't figure out what to use to put the returned password in a variable or something so that it is actually comparable to the user's input. This is what I have so far:[code]<?phpinclude 'config.php';mysql_select_db($usersdb);$pquery="SELECT password WHERE userid={$_POST['username']} FROM userinfo";$result=mysql_query($pquery);$pass=mysql_fetch_array($result,MYSQL_ASSOC);echo $pass['password'];?><form method="Post"><p> Username: <input type='text' name='username' /><input type='submit' /></p></form><form method='Post'><p>Password: <input type='text' name='password' /><input type='submit' /></p></form>[/code]I tried a couple things, but I don't know how any of them really work.With this code I get the error:[code]Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\AppServ\www\forum\login.php on line 6[/code] Link to comment https://forums.phpfreaks.com/topic/3618-password-retrieval-with-phpmysql/ Share on other sites More sharing options...
yarnold Posted February 26, 2006 Share Posted February 26, 2006 First of all you need to read up on [b]SQL Injection[/b].Escape all input, escape all output. Link to comment https://forums.phpfreaks.com/topic/3618-password-retrieval-with-phpmysql/#findComment-12558 Share on other sites More sharing options...
hitman6003 Posted February 26, 2006 Share Posted February 26, 2006 [code]<?phpif (isset($_POST)) { //connect to your db include 'config.php'; mysql_select_db($usersdb); //get and escape your two user inputs $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); //rather than trying to retrieve the password, then check to see if they match in php, //use the following query and let SQL do that work for you. $pquery = "SELECT username FROM userinfo WHERE userid = '$username' AND password = '$password'"; $result = mysql_query($pquery) or die("Could not query: " . mysql_error()); //if one row was returned, then the username/password combo was found if (mysql_num_rows($result) == 1) { echo "User Authenticated"; } else if (mysql_num_rows($result) == 0) { //if no rows are returned, then the user was not in the db echo "User not found"; } else { //you may have more than one entry for the same person...which is bad. echo "Error occurred during verification"; } //header("nextpage.php"); exit;}?><form method="Post" action="<?php $_SERVER['PHP_SELF']; ?>"><p> Username: <input type='text' name='username' /></p><p>Password: <input type='text' name='password' /><br /><input type='submit' name="submit" value="Submit"/></p></form>[/code] Link to comment https://forums.phpfreaks.com/topic/3618-password-retrieval-with-phpmysql/#findComment-12571 Share on other sites More sharing options...
cerin Posted February 28, 2006 Author Share Posted February 28, 2006 Your script displays "User not found" and exits before post is set. Link to comment https://forums.phpfreaks.com/topic/3618-password-retrieval-with-phpmysql/#findComment-13158 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.