else block is not working

Ali_baba

Technically my script is correct but I don't know why "else" block is not working. Any suggestion please?

It is a script that will take username and password. On successful entry, it will allow to proceed but in failure attempt, it will give an error.

$db_username = "student";
$db_password = "itk215";
$db_name =  "itk215";
$mysql_link = mysql_connect( "localhost", "$db_username", "$db_password") or die( "Unable to connect to database server");
@mysql_select_db( "$db_name") or die( "Unable to select database");
$result = mysql_query("SELECT * FROM ktl");
$res_pass = md5($passwrd);
while ($array = mysql_fetch_array($result))  { 
  if ($user_name == $array['user_name'] && $res_pass == $array['passwrd']) { 
      if ($user_name == 'epshp' && $res_pass == 'c6d55d3a54a8ccf983ccdc4b859d5ff3') { 
      echo "<br> 
            <table border=\"0\" align =\"center\"> 
            <tbody> 
            <tr> 
            <td>You are authorized.</td> 
            </tr> 
            <tr> 
            <td> 
            <form action=\"epshp/epshp_entry.php\" method=\"post\" /> 
            <input type=\"hidden\" name=\"verify_epentry\" value =\"ok\" /> 
            <input type=\"submit\" value=\"Continue\" /> 
            </td></tr></tbody></table>"; 

  } 
  elseif ($user_name == 'ksshp' && $res_pass == 'b0634bc990f2ba6475ec82e25def6a4f') { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are authorized.</td> 
        </tr> 
        <tr> 
        <td> 
        <form action=\"ksshp.php\" method=\"post\" /> 
        <input type=\"hidden\" name=\"verify_ksshp.php\" value =\"ok\" /> 
        <input type=\"submit\" value=\"Continue\" /> 
        </td></tr></tbody></table>"; 

  } 
  elseif ($user_name == 'ppshp' && $res_pass == '5a04124927fb8a6526e9770e108eb0ef') { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are authorized.</td> 
        </tr> 
        <tr> 
        <td> 
        <form action=\"ppshp.php\" method=\"post\" /> 
        <input type=\"hidden\" name=\"verify_ppshp.php\" value =\"ok\" /> 
        <input type=\"submit\" value=\"Continue\" /> 
        </td></tr></tbody></table>"; 

  } 
  elseif ($user_name == 'pshp' && $res_pass == 'eed3220fc469fcc89b4161af2a333a9c') { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are authorized.</td> 
        </tr> 
        <tr> 
        <td> 
        <form action=\"pshp.php\" method=\"post\" /> 
        <input type=\"hidden\" name=\"verify_pshp.php\" value =\"ok\" /> 
        <input type=\"submit\" value=\"Continue\" /> 
        </td></tr></tbody></table>";       
   }   
   else { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are not authzed.</td> 
        </tr> 
        <tr> 
        <td> 
        <form />
        <input type=\"button\" value=\"Back\" onclick=\"history.go(-1)\"> 
        </td></tr></tbody></table>"; 
    }    
}       
} 
@mysql_close($mysql_link);

Any suggestion/modifying the script please?

Frederick

You query is only quering the first record.
$result = mysql_query("SELECT * FROM ktl");

Change to:

$res_pass = md5($passwrd);
$result = mysql_query("SELECT * FROM ktl WHERE user_name='$user_name' AND passwrd='$res_pass' ");

Ali_baba

Dear frederick,

Thanks for the reply. I have changed my code according to your suggestion and it is not working 🙁 When the user_name and res_passwrd are wrong then I see only blank page rather than an error message.

$db_username = "student";
$db_password = "itk215";
$db_name =  "itk215";
$mysql_link = mysql_connect( "localhost", "$db_username", "$db_password") or die( "Unable to connect to database server");
@mysql_select_db( "$db_name") or die( "Unable to select database");
$res_pass = md5($passwrd);
$result = mysql_query("SELECT * FROM ktl WHERE user_name='$user_name' AND passwrd='$res_pass'");
while ($array = mysql_fetch_array($result))  { 
  if ($user_name == $array['user_name'] && $res_pass == $array['passwrd']) { 
      if ($user_name == 'epshp' && $res_pass == 'c6d55d3a54a8ccf983ccdc4b859d5ff3') { 
      echo "<br> 
            <table border=\"0\" align =\"center\"> 
            <tbody> 
            <tr> 
            <td>You are authorized.</td> 
            </tr> 
            <tr> 
            <td> 
            <form action=\"epshp/epshp.php\" method=\"post\" /> 
            <input type=\"hidden\" name=\"verify_epshp\" value =\"ok\" /> 
            <input type=\"submit\" value=\"Continue\" /> 
            </td></tr></tbody></table>"; 

  } 
  elseif ($user_name == 'ksshp' && $res_pass == 'b0634bc990f2ba6475ec82e25def6a4f') { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are authorized.</td> 
        </tr> 
        <tr> 
        <td> 
        <form action=\"ksshp/ksshp.php\" method=\"post\" /> 
        <input type=\"hidden\" name=\"verify_ksshp\" value =\"ok\" /> 
        <input type=\"submit\" value=\"Continue\" /> 
        </td></tr></tbody></table>"; 

  } 
  elseif ($user_name == 'ppshp' && $res_pass == '5a04124927fb8a6526e9770e108eb0ef') { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are authorized.</td> 
        </tr> 
        <tr> 
        <td> 
        <form action=\"ppshp/ppshp.php\" method=\"post\" /> 
        <input type=\"hidden\" name=\"verify_ppshp\" value =\"ok\" /> 
        <input type=\"submit\" value=\"Continue\" /> 
        </td></tr></tbody></table>"; 

  } 
  elseif ($user_name == 'pshp' && $res_pass == 'eed3220fc469fcc89b4161af2a333a9c') { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are authorized.</td> 
        </tr> 
        <tr> 
        <td> 
        <form action=\"pshp/pshp.php\" method=\"post\" /> 
        <input type=\"hidden\" name=\"verify_pshp\" value =\"ok\" /> 
        <input type=\"submit\" value=\"Continue\" /> 
        </td></tr></tbody></table>";       
   }   
   else { 
  echo "<br> 
        <table border=\"0\" align =\"center\"> 
        <tbody> 
        <tr> 
        <td>You are not authzed.</td> 
        </tr> 
        <tr> 
        <td> 
        <form />
        <input type=\"button\" value=\"Back\" onclick=\"history.go(-1)\"> 
        </td></tr></tbody></table>"; 
    }    
}       
} 
@mysql_close($mysql_link);

I am getting $user_name and $passwrd from previous page. The database also have the fields with the same names

Frederick

According to these type of lines, you are overriding your results you maybe getting in your query by blocking with the if and if..else statements.

if ($user_name == 'epshp' && $res_pass == 'c6d55d3a54a8ccf983ccdc4b859d5ff3') {

I suggest to use a value in a field to determine what access a person gets such as:
auth(int) 1

if ($array["auth"] == 1) {
   // do something
}
elseif ($array["auth"] == 2) {
   // do something
}

Ali_baba

Hello,

Thanks for the reply. I am not sure if I understood you correctly but what I guessed is :

If you mean to replace 'epshp' by an integer value then it is difficult since I must take 'epshp' by user as input.

What I understood is :

if ($user_name == $array['user_name'] && $res_pass == $array['passwrd']) { 
      if ($array['user_name'] == 'epshp' && $array['passwrd'] == 'c6d55d3a54a8ccf983ccdc4b859d5ff3') {

sorry to be annoying and asking questions. I am new in PHP and I am tying to lear as fast as possible

Weedpacket

Two things.

If you want to know if a supplied username and password match a row in the database, you don't need to ask for all rows where the username matches the supplied username, and the password matches the supplied password, and then look to see if the username matches the supplied username and the password matches the supplied password. The fact I said all that twice is a sign that you're doing the same thing twice.

The other thing is that your if/elseif cases are so similar it would make sense to have the computer go through them itself. The only bits that change are the bits based on the username, and the computer knows the username by this point.

By simplifying the code it becomes harder for bugs to hide.

So, starting from the query...

$result = mysql_query("SELECT COUNT(*) FROM ktl WHERE user_name='$user_name' AND passwrd='$res_pass'");
// COUNT because you don't need the actual data in the row, just whether there
// is a row there or not.
$result_count = mysql_result($result,0,0);
if($result_count>0) // A successful match against a database record.
{
echo "<br>
	<table border=\"0\" align =\"center\">
	<tbody>
	<tr>
	<td>You are authorized.</td>
	</tr>
	<tr>
	<td>
	<form action=\"$user_name/$user_name.php\" method=\"post\" />
	<input type=\"hidden\" name=\"verify_$user_name\" value =\"ok\" />
	<input type=\"submit\" value=\"Continue\" />
	</td></tr></tbody></table>";  

}
else
{
echo "<br>
            <table border=\"0\" align =\"center\">
            <tbody>
            <tr>
            <td>You are not authzed.</td>
            </tr>
            <tr>
            <td>
            <form />
            <input type=\"button\" value=\"Back\" onclick=\"history.go(-1)\">
            </td></tr></tbody></table>";
}

Ali_baba

Yeepee!
that worked. I didn't know the function (mysql_result)

Your explaination made a quite good sense for me.

Thanks a lot sir

and have a nice weekend 🙂