[Resolved] detect nonexistant row before fetch

mberman

I'm trying to write a logins script with comprehensive error messages. I'm running into a problem when I try to see if a user doesn't exist. In order to see if the row doesn't exist, I have to fetch it first. But mysql_fetch_row returns a complciated (for the end user) error message if the username column (which is the index) doesn't contain an entry for the username. The code below will give the essence:

	$server = $mysql['server'];
	$username = $mysql['username'];		//suck vars out of array
	$password = $mysql['password'];
	$db = $mysql['db'];

$dbh = mysql_connect($server, $username, $password);		//connect
if(!$dbh) {
	$email = $admin['email'];
	die("<b>Uh hoh! I've encountered an error!</b> Please go <a href='javascript:history.go(-1)'>back</a>, or <a href='mailto:$email'>email us</a> regarding the error. When trying to connect, the MySQL server said: <code>" . mysql_error() . "</code>");
}
$switch = mysql_select_db($db, $dbh);	//set the db to the config.php defined value
if(!$db) {
	$email = $admin['email'];
	die("<b>Uh hoh! I've encountered an error!</b> Please go <a href='javascript:history.go(-1)'>back</a>, or <a href='mailto:$email'>email us</a> regarding the error. When trying to change the MySQL database, the server said: <code>" . mysql_error() . "</code>");
}
$username = $_GET["username"];
$password = $_GET["password"];
$pass = md5($password);
$query="SELECT * FROM user WHERE username='$username'";
$qexec = mysql_query($query);
if($qexec == "") {			//BROKEN! BROKEN!
		die("<strong>There is no such user</strong>. The user '$username' does not exist in our records. Please <a href='login.php'>return to the main login page</a> and try again.");
	}
$out = mysql_fetch_row($qexec);
	if($out[2] == $pass) {
		$name = $out[1];
		$username = $out[0];
		echo "<strong>Login succedded for user $name! Welcome!";
	} else  {
		$name = $out[1];
		$username = $out[0];
		echo "<strong>Login Failed</strong>. You provided invalid login credentials for the user '$username' ($name). Please <a href='javascript:history.go(-1)'>back up</a> and fix the errors. If you beleive that you shouldn't be getting this error message, <a href='mailto:mberman1@uni.uiuc.edu'>contact us</a> regarding the error.";
}

Anyone have any suggestions?

planetsim

You seem to be making this more complicated then what it should be.

Firstly do the query.

Then run mysql_num_rows() if it returns 1 then there is a user under that username. Then fetch that rows values and evaluate the password agaisnt this usernames password. At the moment you are retrieving the row even if the user doesnt exist and only checking if the query run successfully.

mberman

Wow, that makes total sense. I wasn't aware that mysql_num_rows existed. Thanks for your help, planetsim!