Variable names and the SELECT FROM WHERE

partano

$alpha = mysql_real_escape_string($_POST['fromotherpage]);

mysql_select_db("papers", $con);

$sql = mysql_query("SELECT * FROM login WHERE 'user'='$alpha'");

assuming its connecting to the database and the index field is user, I want the variable $alpha to be the search condition.

I have tried even the simplest command on the PHPmyadmin run SQL query and get the syntax error. I have tried like...

$alpha ="test" and get the error ..

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$alpha = "test"' at line 1

the end idea is to have the "WHERE 'user = '$alpha' " function work so I will retreive specifically that single record.

I know this question seems a littel basic, but cant find the answer anywhere.

Thanks

laserlight

Perhaps you should try this:

mysql_select_db("papers", $con);

$alpha = mysql_real_escape_string($_POST['fromotherpage']);
$sql = mysql_query("SELECT * FROM login WHERE user='$alpha'");

It seems to me that the SQL statement should be syntactically correct either way, so perhaps there is another problem.

partano

Nope it doesnt work either.

laserlight

Nope it doesnt work either.

I predicted as much, so obviously just telling me that does not provide any information that I can use to help you... and in fact my only alternative is to tell you: too bad :p

In other words, how does it not work? If you can, provide the smallest and simplest script and demonstrates the problem. Chances are, you might just discover and solve the problem yourself while trying to come up with such a script.

partano

this is the simplest command on the PHPmyadmin run SQL query and get the syntax error.

$alpha ="test"

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$alpha = "test"' at line 1

bradgrafelman

Well that makes sense... $alpha ="test" isn't valid SQL syntax. In fact, it's not even valid PHP syntax - you're missing a semicolon, but that's besides the point; running PHP code on a SQL server doesn't really make sense - they don't speak the same language.

Try debugging the query that laserlight suggested, since it's at least semantically correct:

$query = "SELECT * FROM login WHERE user='$alpha'";
$sql = mysql_query($query) or die('Error: ' . mysql_error() . "<br><br>Query: $query");

partano

<?php
$con = mysql_connect(xxx.xx.xxx.xxx, 'xxxxxx', 'xxxxxxxx');

	if (!$con) {

		die('Could not connect: ' . mysql_error());

	}

	echo '';

mysql_select_db("client", $con);
$uxer = mysql_real_escape_string($_POST['uxername']);
$sql = mysql_query("SELECT * FROM login WHERE user='$uxer'");

if (!mysql_query($sql,$con))

echo 'ERROR  User Name does not Exist  ERROR';

else

echo user    password      link;

mysql_close($con);

?>
<html>
<body>

<p> Click Here to Continue </p>
<form name="input" action="main.php" method="post">

</form>
<body>
<html>

ive tried many variations 🙁

bradgrafelman

partano wrote:
ive tried many variations

Did you try mine? As I said, we need to debug the SQL query so we need the exact SQL error message.

laserlight

You are looking to write something along these lines:

<?php
if (isset($_POST['submit'], $_POST['uxername'])) {
    $con = mysql_connect('xxx.xx.xxx.xxx', 'xxxxxx', 'xxxxxxxx')
        or die('Could not connect to database server: ' . mysql_error());

mysql_select_db("client", $con)
    or die('Could not select database: ' . mysql_error());

$query = sprintf("SELECT * FROM login WHERE `user`='%s'",
                 mysql_real_escape_string($_POST['uxername']));

$result = mysql_query($sql, $con)
    or die('Could not execute query: ' . mysql_error());

if (mysql_num_rows($result) == 1) {
    // user is logged in
    echo 'Logged in!';
} else {
    echo 'ERROR User Name does not Exist ERROR';
}

mysql_close($con);
} else {
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="text" name="uxername" />
<input type="submit" name="submit" value="Submit" />
</form>
<?php
}
?>

Notice how the flow of logic is handled. Now, what you need to do is adapt something like it for your own script, e.g., to add the HTML, to actually make the user login useful. Oh, and it is typically a good idea to require a password as well.

EDIT:
Also, note that using die is not a very good idea in an actual production script. As far as possible, try and handle such errors gracefully, e.g., report to the user that the database is down and thus the user could not be logged in. Spewing out the details of mysql_error() is a no-no.

It is also a good idea to select only those columns that you need in a database query.

partano

laserlight...

your code seems to report no errors however the result is nto what is expected.

I have a table with three variables (user, pass, link)

The idea is that a user in a login page types in the user then types in tha pass, this is then compared to the table and if there is a match the user would be then forwarded to a new page whose address is gotten from the "link" variable.

Quite frankly the ideal situation would be that the specific client pages were password protected, and the post from the inputs served not only to redirect to the correct "link" but also as validation to the password protected page.

Do you have any thoughts?

Andres

laserlight

your code seems to report no errors however the result is nto what is expected.

Do not expect my (or anyone else's) code examples to be handouts that work right out of the box (though if you are lucky sometimes they are).

I have a table with three variables (user, pass, link)

The idea is that a user in a login page types in the user then types in tha pass, this is then compared to the table and if there is a match the user would be then forwarded to a new page whose address is gotten from the "link" variable.

Quite frankly the ideal situation would be that the specific client pages were password protected, and the post from the inputs served not only to redirect to the correct "link" but also as validation to the password protected page.

Do you have any thoughts?

Basically, you have a simple permission system where a user with a given username and password is permitted to access the page with the given link (URL).

In such a case, you have two choices:
a) Require users to login on every visit to a restricted page, or
b) Require users to login, then transparently authenticate them on restricted pages

One possible implementation of option (a) is pretty simple: display the login page. If the user sucessfully logs in, include the desired page (which should be kept in a restricted directory). Else, display a failed login error message.

Option (b) needs more work, but makes life easier for your users, and indeed is what is normally expected of a web-based authentication system. Instead of having one table with username/password/URL, you would have a users table with userid/username/password, and also a permissions table where you associate each userid with one or more URLs. When the user logs in, you create a session for the user and record the userid in the session, and store the sessionid in a cookie. You also retrieve the list of pages that the user can visit, and display their links. When the user visits one of the links, the system checks the session and ensures that the given userid is indeed associated with the given URL.

What you should not do is redirect users after login without re-authenticating them on the destination page. A lack of such re-authentication would allow unauthorised users to by-pass the login system if they somehow got hold of the restricted page's URL, e.g., by viewing browser address history.

partano

I see your observations, but I dont have the knowledge for such an endeavor, are there any applications that would create this and I can implement in my current website. Andres