widget Posted November 3, 2007 Share Posted November 3, 2007 My site has a quite strict 1 account per user rule. Sometimes the IP check is not 100% accurate and I have found that most duplicate users use the same password for each account. What I have done is created a form with a user name input field. I would then like to store that users password in a variable and then cross check the users table and display all matching results by username. This is what I currently have and its not working. if (!$act) { <FORM ACTION="admin_search_pw.php" METHOD=get> <input type=hidden name=act value=search> <INPUT TYPE=text NAME="pw_user" VALUE="" SIZE=38> <INPUT TYPE=submit VALUE="Search!"> </FORM> } if ($act) { $pw = "SELECT * FROM members2 WHERE `username` == '%$pw_user%'"; $sql_query = ("SELECT username FROM `members2` WHERE password == $pw"); //store the SQL query in the result variable $result = mysql_query($sql_query); if(mysql_num_rows($result)) { //output as long as there are still available fields ?><table><? while($row = mysql_fetch_row($result)) { echo ("<tr><td>$row[1]<br><br></td></tr>"); } ?></table><? } //if no fields exist else { echo "no values in the database"; } } Any help would be much appreciated, oh and no I dont want to see the password, just the usernames with matching passwords. The actual form method works, just not my database results code. this is the error Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/chicka/public_html/admin/admin_search_pw.php on line 59 no values in the database Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted November 3, 2007 Share Posted November 3, 2007 If you are getting that error then you should check your query for errors. Looking at your query there is a few problems. 1. You are using a reserved MySQL keyword for a field name, which is password If you use a reserved word in your query you should wrap back ticks (`) around the field name. 2. strings should be wrapped in quotes and invalid operator used: ... WHERE password == $pw <-- incorrect ... WHERE `password` = '$pw' <-- correct SO change this line: $sql_query = ("SELECT username FROM `members2` WHERE password == $pw"); To: $sql_query = ("SELECT username FROM `members2` WHERE `password` = '$pw'"); and you should not get the error any more. If you do still get an error, change this line: $result = mysql_query($sql_query); to: $result = mysql_query($sql_query) or die('Query Error:<br />'.$sql_query.'<br /><br />'.mysql_error()); Quote Link to comment Share on other sites More sharing options...
widget Posted November 3, 2007 Author Share Posted November 3, 2007 thank you for that but now i get this error Query Error: SELECT username FROM `members2` WHERE `password` = 'SELECT password FROM members2 WHERE `username` == '%lollypopchicka%'' Unknown column 'lollypopchicka' in 'where clause' current code is if ($act) { $pw = ("SELECT password FROM members2 WHERE `username` == '%$pw_user%'"); $sql_query = ("SELECT username FROM `members2` WHERE `password` = '$pw'"); //store the SQL query in the result variable $result = mysql_query($sql_query) or die('Query Error:<br />'.$sql_query.'<br /><br />'.mysql_error()); if(mysql_num_rows($result)) { //output as long as there are still available fields ?><table><? while($row = mysql_fetch_row($result)) { echo ("<tr><td>$row[1]<br><br></td></tr>"); } ?></table><? } //if no fields exist else { echo "no values in the database"; } } Quote Link to comment Share on other sites More sharing options...
dbo Posted November 3, 2007 Share Posted November 3, 2007 There is no == in SQL Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted November 3, 2007 Share Posted November 3, 2007 You can't do queries like that! What do you want to be returned from the query? Do you want both the username and password or just the username or password? Quote Link to comment Share on other sites More sharing options...
widget Posted November 3, 2007 Author Share Posted November 3, 2007 Just the usernames All im trying to do is enter a username in the form and have it display all usernames with a matching password. Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted November 3, 2007 Share Posted November 3, 2007 Then you'll use the following query: $sql_query = "SELECT username, password FROM `members2` WHERE `username`='$pw_user'"; Not two. Quote Link to comment Share on other sites More sharing options...
widget Posted November 3, 2007 Author Share Posted November 3, 2007 that just gives me the username or password (depending on what I change the row number to) of the person I typed into the form. I need to to display all usernames that have a matching password. if ($act) { $sql_query = "SELECT username, password FROM `members2` WHERE `username`='$pw_user'"; //store the SQL query in the result variable $result = mysql_query($sql_query) or die('Query Error:<br />'.$sql_query.'<br /><br />'.mysql_error()); if(mysql_num_rows($result)) { //output as long as there are still available fields ?><table><? while($row = mysql_fetch_row($result)) { echo ("<tr><td>$row[0]<br><br></td></tr>"); } ?></table><? } //if no fields exist else { echo "no values in the database"; } } Quote Link to comment Share on other sites More sharing options...
widget Posted November 3, 2007 Author Share Posted November 3, 2007 Nevermind, I've set up 2 forms. 1 to give me the password and then another to compare the password. I was going to have my site mods use this tool. The passwords are encrypted, so is it still safe to let them use it? Is there a way they can work out what the passwords are? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.