Database query - will this produce an error?

[Mark H]

Hi all,I've got some code which I am using to check if a cookie is safe and matches the user in my database.I haven't set up the database yet, so at this stage I cannot check if it works.My code is:

if isset($_COOKIE['Place'])  //get user name from Cookie or session.{	$user = $_COOKIE['Place'];	$result = mysql_query("SELECT UserName FROM UserTable WHERE UserName == '$user'");	if $user != $result	{		$user = 'Guest';	}}

Will this work? I know it should work if the cookie value matches a user in the database, but what if the cookie is wrong and does not match. Will it go on to set $user as 'Guest'? Or will it return an error?Many thanks,Mark.

[birbal]

you should use mysql_real_escape_string to escape any user input ($_GET,$_POST,$_COOKIE) if you are querying using those input. i think best way i using session here.

$user = $_COOKIE['Place'];	$result = mysql_query("SELECT UserName FROM UserTable WHERE UserName == '$user'");	if $user != $result	{		$user = 'Guest';	}

WHERE UserName == '$user'

should be

WHERE Username='$user'

there is a problem in your conditional structure. you have to check that how many rows from the database has been returned as a result using http://php.net/function.mysql_num_rows.if it returns 0. it means no row has been return so you can assume it is not enlisted in db

[Mark H]

Thanks!I am also using Session, but I want visitors to "stay logged in", so need a Cookies in that instance. Yes, I know I need to add mysql_real_escape() which I'll do in due course, but thank you as I hadn't realised I needed to in the case of _COOKIE.I've modified the code, thus:

if isset($_COOKIE['Place'])  //get user name from Cookie or session.{	$user = $_COOKIE['Place'];	$result = mysql_query("SELECT UserName FROM UserTable WHERE UserName = '$user'");	$members = mysql_num_rows($result);	if $members = '0'	{		if $user != $result		{		$user = 'Guest';		}	}}else if isset($_SESSION['sessionUser']){	$user = $_SESSION['sessionUser'];}else $user = 'Guest';

It may be that I'm unneccesarily doubling up with the $user != $result?

[Ingolme]

In your script, $result is not a string, it's a resource, so your condition will always evaluate to false.If you want to check the return values of the query, you'll have to pass $result to one of three functions: mysql_fetch_row(), mysql_fetch_assoc() and mysql_fetch_array().The following line has three mistakes:

if $members = '0'

1. The condition must be surrounded in parenthesis ()
2. You're using the assignment operator "=" instead of the comparative operator "=="
3. The number zero shouldn't be within quotation marks because it is a number and not a string.

[birbal]

relogin through cookie is not be good. anyone can create a cookie od user name. and can get into anyones a/c. you have to anyhow authenticate user to relogin.

 if $members = '0'	{		if $user != $result		{		$user = 'Guest';		}	}}

to check a condition you need something like if($memebers==0)more info here http://www.php.net/manual/en/control-structures.if.php

if $user != $result { $user = 'Guest'; }

i am not sure about its purpose. when $members=0 you can assume them as not registered guest

[Mark H]

I had to take a break from this, but now I am back I have been looking through the PHP site.It seems, to me, that mysql_num_rows($result) will give either a number (the number of rows) or FALSE. Therefore I can check either that the number of rows with that Username equals 1, or check it equals FALSE, and have the code act accordingly afterwards.I also noticed another error in my code in that mysql_query() should not have a semi-colon at the end.So here's my slightly adjusted code. Major errors should (I hope!) be corrected, but I know that there will be minor errors which I can check on my WAMP server in due course.

if (isset($_COOKIE['Place']))  //get user name from Cookie or session.{	$user = $_COOKIE['Place'];	$inDb = mysql_query("SELECT UserName FROM UserTable WHERE UserName == '$user'")	$members = mysql_num_rows($result);	if ($members != 1)	{		 $user = 'Guest';	}}else if (isset($_SESSION['sessionUser'])){	$user = $_SESSION['sessionUser'];}else $user = 'Guest';

In order to solve the security issue mentioned by birbal, I am thinking I could use a UserNumber and that user's password in the Cookie. I am thinking to use a system such as:the Cookie Value = "1001 password"Created by SELECTing the UserNumber and the Password and concatentating with the . concatenator.Then to extract the UserNumber and Password into separate values, to use the explode() function.I'm sure I'm still way off! Thank you for your patience.Mark.

[birbal]

storing password in a cookie is not too a good idea. you can use a hashed passkey (as remember token) though to make a re-loginthere was a previous discussion here which may be useful for you.

$inDb = mysql_query("SELECT UserName FROM UserTable WHERE UserName == '$user'")

every statement should terminated by a semicolon. it will be a parse error without a semicolon.

[Mark H]

storing password in a cookie is not too a good idea. you can use a hashed passkey (as remember token) though to make a re-loginthere was a previous discussion here which may be useful for you.every statement should terminated by a semicolon. it will be a parse error without a semicolon.

Thank you for that discussion birbal....I think for now I'll have a remember me, but only remember the username, and require again the password, rather than have an auto-login.As to the statement and semi-colon, what you say is what I thought initially, but I'm sure (or I was sure!) that I saw that a mysql_query shouldn't be followed by a semicolon....I think I must have been imagining things again!