Syntax in SELECT and other places

[Mark H]

Hi all,I'm working on my auto-login script. There are a number of things still to do.Yet I'm getting a little confused on a couple of issues. (I include my code below in case you want to look, but my main questions I will put first.)Firstly, when using SELECT to access the database, I am using the following:

$publicUser = mysql_query("SELECT publicName FROM sf_pw_users WHERE userName == $user");

Will this work? I'm intending that the script selects the publicName column in the same row where it finds the userName.I also have an issue with the $_COOKIE. I want to store three values. What I've done is to use three separate cookies, as from the tutorial it didn't look like I could store multiple values in a cookie.(I have already had a discussion about the security of using Cookies for an auto-login. I do not need 100% security, but think that including a timestamp will give sufficient security.)There is one further question midway down my code, regarding what a SELECT function (? is this called a 'function'?) will return should it find no match?

<?phpini_set('display_errors', 1);ini_set('html_errors', 1);error_reporting(E_ALL);// get database //// MAKE REAL: require_once '../databases/pwDb.php'; //// set Variables //$signedIn = 'False'; $user = 'Guest'; if (isset($_COOKIE['PW_user_Number']))  // get user number from Cookie{	// check Cookie User Number	$cookieUser = $_COOKIE['PW_userNumber'];	$inDb = mysql_query("SELECT userNumber FROM sf_pw_logins WHERE userNumber == $cookieUser");/* NOTE: - A question: Will the 'False' string here be right?  What will the above query return if no match is found?*/	if ($inDb != 'False') // check what the return value would be if no user found	{		// check Username		$userName = $_COOKIE['PW_UserName']; // where cookie username is		$userMatch = mysql_query("SELECT userName FROM sf_pw_logins WHERE userNumber == $inDb");		if ($userName == $userMatch)		{			// check Time Stamp			$timeStamp = $_COOKIE['PW_timeStamp']; // where cookie timestamp is			$timeMatch = mysql_query("SELECT timeStamp FROM sf_pw_logins WHERE userNumber == $inDb");			if ($timeStamp == $timeMatch)			{				$user = $userName;				$_SESSION['sessionUserName'] = $userName;				$signedIn = 'True';			}			else			{				$user = 'Guest';				$signedIn = 'False';			}		}		else			{				$user = 'Guest';				$signedIn = 'False';			}	}	else			{				$user = 'Guest';				$signedIn = 'False';			} } else			{				$user = 'Guest';				$signedIn = 'False';			}	if (isset($_SESSION['sessionUser'])){	$user = $_SESSION['sessionUser'];	$signedIn = 'True';}else {	$user = 'Guest';	$signedIn = 'False';}// set $user as Public Nameif ($user =! 'Guest'){	$publicUser = mysql_query("SELECT publicName FROM sf_pw_users WHERE userName == $user");}?>

Many thanks!

[birbal]

Firstly, when using SELECT to access the database, I am using the following:CODE$publicUser = mysql_query("SELECT publicName FROM sf_pw_users WHERE userName == $user");

you have to quote when it is string.in sql you dont need to put two equal sign as to check condition you should have to put one.

$publicUser = mysql_query("SELECT publicName FROM sf_pw_users WHERE userName ='$user'");

you can store multiple data in a array and then serialise the array in a cookie so that multiple value can be stored in a cookie if you need so. when you need to get its value you have to unserialize the cookie. rather than serialising you can use data=value,data2=value2 like structure. which can be formated and parse by using explode() implode().

There is one further question midway down my code, regarding what a SELECT function (? is this called a 'function'?) will return should it find no match?

'Select' not a function it is a mysql query which is executed by mysql_query() function. you can use mysql_num_rows() to get the returned row number. if its 0 you can assume there is no match.

[Mark H]

Thank you birbal. I follow most of that, with the exception of serializing the cookie or using data1=value1 etc. ?I have looked a little into explode() implode() but will have another look and then maybe it will be clear.Thanks again!Mark.

[Mark H]

Hi birbal and others.I think I've got it. Just want to check about the mysql_num_rows() function.Am I using it correctly here:

if (isset($_COOKIE['PW_user'])) // get user name from Cookie{	$user_array = explode("#",$_COOKIE['PW_user'],3);	if	{	// check Cookie User Number		$cookieUser = $user_array[0];		$inDb = mysql_query("SELECT userNumber FROM sf_pw_logins WHERE userNumber = '$cookieUser'");		$recordThere = mysql_num_rows('$inDb');		if ($recordThere != '0') 	{		// check Username		$userName = $user_array[1]; // where cookie username is		$userMatch = mysql_query("SELECT userName FROM sf_pw_logins WHERE userNumber = '$inDb'");		if ($userName == $userMatch)		{			// check Time Stamp			$timeStamp = $user_array[2]; // where cookie timestamp is			$timeMatch = mysql_query("SELECT timeStamp FROM sf_pw_logins WHERE userNumber = '$inDb'");			if ($timeStamp == $timeMatch)			{				$user = $userName;				$_SESSION['sessionUserName'] = $userName;				$signedIn = 'True';			}			else			{				$user = 'Guest';				$signedIn = 'False';			}		}		else			{				$user = 'Guest';				$signedIn = 'False';			}	}	else			{				$user = 'Guest';				$signedIn = 'False';			} } else			{				$user = 'Guest';				$signedIn = 'False';			}

Or should it be a new mysql_query? e.g.

$recordThere = mysql_num_rows("SELECT userNumber FROM sf_pw_logins WHERE userNumber = '$cookieUser'");

Thanks!Mark.(P.S. I do really appreciate the wonderful help you guys give. Between the tutorials and this forum, I think I'm learning things. Thanks!)

[birbal]

$inDb = mysql_query("SELECT userNumber FROM sf_pw_logins WHERE userNumber = '$cookieUser'"); $recordThere = mysql_num_rows('$inDb'); if ($recordThere != '0') {

$recordThere = mysql_num_rows('$inDb');

would be

 $recordThere = mysql_num_rows($inDb);

if you write it in quote it will be treated as string literal not the resultset resource.mysql_num_rows() takes only a valid resultset as parameter. more details can be found here http://php.net/function.mysql_num_rows

if ($recordThere != '0')

when you check the condition you may like to use without quote around zero. for the same reason as above it will be treated as string. where as $recordTime will return an integer. though as for loosely comparison it will not made any difference though, writing it as integer seems more appropiate.

 if ($recordThere != 0)

[Mark H]

Thanks, I was a little confused as to how a resource differed to a normal variable.Looked up on the reference manual and see now that it acts almost like a separate variable, yet accessed differently (noting the no quotes!).Thanks.Mark.

[Ingolme]

Actually, to do anything with a variable you have to keep it outside quotes. PHP has a handy, but misunderstood feature that lets variables inside certain strings be parsed, but you shouldn't do it as a general practise.

[Mark H]

Thanks Ingolme,If I'm understanding correctly, though, although in PHP the variables should be without quotes, it seems that within my_sql functions the variable should be within quotes. Is this a difference between my_sql functions and the rest of PHP? Clarification would help. Thanks.Mark.EDIT: - Just looked into this more, and note that a string variable would be in quotes and a numeric variable not. But does this apply always, or only in my_sql functions?

[birbal]

although in PHP the variables should be without quotes,

that is not like you cant use variable in quotes.in single quote variable value does not evaluated but in double quotes its values get evaluated.When you pass parameter in mysql_*() . eg mysql_query() you are basicaly passing a string into it. a string can be a single quoted or double quoted. but when you need to get the value of the variables in the string you have to use double quote. thats why you may see in mysql function some variables are used in the double quote. and it dont depends what does the variable contains it will always get evaluated if its in double quotes