what the hell am i doing wrong

escolta

the first echo

echo $strSQL;

gives:

SELECT company_name from passwds where user = "jgonzalez" and ID = "0052"

wich is allright

but the second pair of echos are supposed to return solution if company_name is solutions and selex if company name is selex

but i always get for an echo selex, even if in the database its solutions

what am i doing wrong?

<?php
 if ($submit)
 {	

$dbcnx = mysql_connect("localhost", "mydabase", "mypassword");
mysql_select_db("selex", $dbcnx);
$strSQL = 'SELECT company_name from passwds where user = "' . $_POST['user'] . '" and ID = "' . $_POST['pass'] . '"' or die(mysql_error()); 
$res = mysql_query($strSQL);
echo $strSQL;
$x = @mysql_num_rows($res);

if($row[company_name] = 'selex')
{
echo 'selex'; 
//$image = 'selex.jpg';
} else {
//$image = 'selex.jpg';
echo 'solutions';
}

toplay

You forgot an extra equal sign. It should be '==' and not '='.

if ($row['company_name'] == 'selex')

Read my tip found here:
http://www.phpbuilder.com/board/showpost.php?p=10647256&postcount=41

😃

escolta

ok, now i think love you

toplay

Huh! and we hardly know each other...LOL.

Glad to help.

Happy coding.

🙂

escolta

ok, now i always get solutions for an echo

leatherback

Well, you ar enot retrieving the info from the database. So there is no $row defined.


<?php
 if ($submit)
 {    // data was submitted
    $dbcnx = mysql_connect("localhost", "mydabase", "mypassword");
        mysql_select_db("selex", $dbcnx);

  $strSQL = 'SELECT company_name from passwds where user = "' . $_POST['user'] . '" and ID = "' . $_POST['pass'] . '"' or die(mysql_error()); 
  $res = mysql_query($strSQL);
  //  echo $strSQL;
    if($res) 
      {
      $x = mysql_num_rows($res);
      while($row = mysql_fetch_array($res) )
        {      

         if($row[company_name] == 'selex')  // my bad: Fixed it
           {
           echo 'selex'; 
           //$image = 'selex.jpg';
           } 
        else 
           {
           //$image = 'selex.jpg';
           echo 'solutions';
           } 
         }
       }
   }

toplay

Display the $row['company_name'] before the 'if' expressions to see what it contains.

You really need to fix the code to where you're checking for MySQL errors. You have the "or die()" in the wrong place. It should be on the mysql_query() command.

You should not even try and use $row['company_name'] unless $x is greater than zero so you know that you're getting back at least one row.

Fix all that and then post your latest code here again if you're still having problems.

EDIT:

And yes, leatherback, is right. You of course need to do a fetch to retrieve the data. Note that leatherback accidentally copied your bad line that has one equal sign, so don't forget that it needs two equal signs.

Example:
http://www.phpbuilder.com/board/showpost.php?p=10648003&postcount=4

escolta

allright...this is working fellas....but i still need your opinion....what do u think?

<?php
 if ($submit)
 {	

$dbcnx = mysql_connect("localhost", "mydabase", "mypassword");
mysql_select_db("selex");
$strSQL = 'SELECT company_name from passwds where user = "' . $_POST['user'] . '" and ID = "' . $_POST['pass'] . '"' ;
$res = mysql_query($strSQL)or die(mysql_error());
$x = @mysql_num_rows($res);
while ($row = mysql_fetch_assoc($res)) {
echo "<p class='text1'>$row[company_name]</p>";
if($row[company_name] == 'selex')
{
echo 'selex'; 
$image = 'selex.jpg';
} else {
$image = 'soluciones.jpg';
echo 'soluciones';
}

}

toplay

It's fine.

To make it better, I would check for any possible error after the mysql_select_db(). Don't assume that it selected the database fine.

I would use mysql_escape_string() on the $POST['user'] and $POST['pass'] fields and not just use them directly like that from the HTML form. See below about magic quotes.

I would get rid of the mysql_num_rows() line if you don't have a need to display the number of rows were found ($x). It's an extra call for nothing.

I would use single quotes in the $row index. i.e. $row['company_name']. And here's why:
http://www.php.net/manual/en/language.types.array.php#language.types.array.donts

It's important to know the settings of 'magic_quotes_gpc' and 'magic_quotes_runtime' php.ini settings before using addslashes(), mysql_escape_string(), or stripslashes() on variable data obtained from a HTML form, file or database. Usually the 'magic_quotes_gpc' is on, and 'magic_quotes_runtime' is off. You can find out their settings from within a script by using get_magic_quotes_gpc() and get_magic_quotes_runtime() functions. When these settings are on, PHP has already done the addslashes() for you. Don't arbitrarily do an addslashes() to variables because you could end up having everything double slashed. Do something like this instead:

$last_name = isSet($_REQUEST['last_name']) ? $_REQUEST['last_name'] : '';
if (!get_magic_quotes_gpc())    // When off, do escape
    $last_name = mysql_escape_string($last_name);  // or use addslashes()
// Here you can add to the table or file fine now

Similarly, after reading from a file or table do not just do stripslashes() routinely because you may strip something in your data that you want to keep. PHP will only do addslashes() to values obtained from a file or table when the 'magic_quotes_runtime' setting is on. Check the setting and do something like this (a database example):

// Do the query and check for errors. The row has O'Brien for a value
while($row = mysql_fetch_assoc($result)) {
    if (get_magic_quotes_runtime()) // O\'Brien will be returned
        echo stripslashes($row['last_name']); // Strip the backslash
    else
        echo $row['last_name'];  // O'Brien will display fine
}

You don't see that kind of handling a lot because 'magic_quotes_runtime' is usually off by default. However, I recommend that you don't rely on it being off and check for it as shown, or set it off using set_magic_quotes_runtime() function.

Note that the mysql_escape_string() function does a little more than the addslashes().

The mysql_escape_string() returns a string with all characters that could break the query escaped (with a backslash placed before them). The characters that are escaped include null (\x00), new line (\n), carriage return (\r), backslash (), single quote (‘), double quote (“), and CTRL+Z (\x1A). It does not escape percentage (%) and underscore (_) characters. This makes a query safe to use. Anytime user input is used in a query, this function should be used to make the query safe.

The addslashes() does single quote (‘), double quote (“), backslash () and null.

leatherback

About what?
About removing the formatting? I think you should have kept the indentation, which was there for you having a clearer view of the code.
Besides.. If it works, it wors. Just make sure it works also when people do stupid stuff. And you need to test variables which are posted by users, to make sure there is no horrible info in them.
use things like htmlspecialchars, addslashes,