Userid + database

designervision

I have tried hard to get it to work but to no avail so thanks a lot if you can help.

Heres what I want to happen.

User log in
User clicks on link to progress.php
5 images show up on this page. Each of the images are one of two and what they are depends on whether a 1 or a 0 is present in the database.

For each user there will be different ones showing - depending on what the numbers are (1 or 0). I am trying to get a users images to be displayed using their unique ID which should be set when the log in.

Here is the code which has the images (please note - for ease purpose, I have shortened it to one image).

<?php
session_start();
$userid=$_SESSION['userid'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>

<?php

$database=mysql_connect("localhost","user", "pass");



mysql_select_db("test",$database);

$query = "SELECT * FROM members WHERE `userid`='{$userid}'";
$result=mysql_query($query) or die("Error in query: ".mysql_error());

if(mysql_num_rows($result) > 0){
echo "We are getting a result!";
}

while($img=mysql_fetch_assoc($result)){

$image_num=$img['stg1'];

if($image_num=="0"){

echo"<img src='images/not_completed.gif' />";

}elseif($image_num=="1"){

echo"<img src='images/completed.gif' />";

}else {

echo" sorry there is no images to show";

}
 }
?>

</body>
</html>

Here is the login:

<?php session_start(); ?>
<?php
/// connect to database
require("config.php");
$con=mysql_connect($mysql_hst,$mysql_us,$mysql_ps);
if (!$con)
  {
  die('Could not connect: ' . mysql_error() . '<br /><br />Check your config file or contact your server support team.');
  };

/// select DB
if (!mysql_select_db($mysql_db, $con)){die ("Could not connect to the database you specified. Make sure it exists and is correctly named within config.php");};
$_SESSION['username'] = str_replace(' ','/space',strtolower(mysql_real_escape_string($_POST[username])));
$_SESSION['password'] = base64_encode($_POST[password]);


/// connect to database
$con=mysql_connect($mysql_hst,$mysql_us,$mysql_ps);
if (!$con)
  {
  die('Could not connect: ' . mysql_error() . '<br /><br />Check your config file or contact your server support team.');
  };

/// select DB
if (!mysql_select_db($mysql_db, $con)){die ("Could not connect to the database you specified. Make sure it exists and is correctly named within config.php");};

if ($_POST["username"] == ""){die ('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};
if ($_POST["password"] == ""){die ('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};

$password = base64_encode($_POST[password]);
$username = str_replace(' ','/space/',mysql_real_escape_string(strtolower($_POST[username])));
$found = 0;
/// if exists
$ifexists = mysql_query("SELECT * FROM members");
while($row = mysql_fetch_array($ifexists))
  {
  if ($row[username] == $username){
  /// check password
  if ($row[password] == $password){
  ///check active
  if ($row[active] == "1") {$found = "1";$_SESSION['userid'] = $row[id];$_SESSION['userid'] = $row[id];} else {echo ("Account has not been activated - Check Your Email");};} else {echo('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};};};

if ($found == "0") {die('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};

if ($found == "1") {echo('<meta http-equiv="refresh" content="1; URL=index.php" />');};

?>

and if needed, here is require.php

<?php /// require.php
session_start();


if (!$_SESSION['username']){echo('<meta http-equiv="Refresh" content="0;url=clientlogin.php" />Please Log In');

};

$username = $_SESSION['username'];
$password = $_SESSION['password'];



?>

It currently displays this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

leatherback

hmm..
There is a whole lot wrong with this. Don't know where to start really..

First of all: You connect and disconnect to the database a lot..
I have a little function which does this for me:


$db_host="***"; 
$db_user="***";
$db_password="";
$db_name="****";
$table_body="";

function db_connect()
  {
  global $db_host, $db_user, $db_password, $db_name;

  $db_link = mysql_connect($db_host, $db_user, $db_password)
       or handle_errors("GEN", 1, 1, -1);
       mysql_select_db($db_name);
  return $db_link;
  }

function db_disconnect($db_link)
  {
  mysql_close($db_link);
  }

where the handle_errors() function is a loggin exercise, that logs the error. In your case you could spit out the "could not connect" error. It selectes the database for you too. Hope it helps you.:
$DBH = db_connect();
db_disconnect($DBH);
Remebwer: If you do not disconnect, you do not need to reconnect.

if ($_POST["username"] == ""){die ('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};
if ($_POST["password"] == ""){die ('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};

All I ask is: Why.. Why not do the error handling in the file? Or use an include()? Sending a page to the user takes time, and will slow your site down. Use: header(location: "URL");

$ifexists = mysql_query("SELECT * FROM members");
while($row = mysql_fetch_array($ifexists))
  {
  if ($row[username] == $username){
  /// check password
  if ($row[password] == $password){
  ///check active
  if ($row[active] == "1") {$found = "1";$_SESSION['userid'] = $row[id];$_SESSION['userid'] = $row[id];} else {echo ("Account has not been activated - Check Your Email");};} else {echo('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};};};

if ($found == "0") {die('<meta http-equiv="Refresh" content="0;url=error.php?li=Please+enter+valid+details" />');};

No!

$query = "SELECT * FROM members where username='".$username."' and password = '".$password."' and active=1";
$result = mysql_query($query) or die('Some messup here'.mysql_error());
if(mysql_num_rows($result) > 0)
  {
  // user logged in. Don't meta-refresh!
  }
else
  {
  // user not logged in. Don't meta-refresh! 
  }