1

i have this script and i want to edit it so that it sends extra information to my android application from user table after checking if user already exists userStatues and userPosition

PS : i tried to edit it myself but i don't have proper knowledge in php to make it work or have time to learn php for the moment.. so kindly help if u can :)

<?php
$hostname_localhost ="";
$database_localhost ="";
$username_localhost ="";
$password_localhost ="";
$localhost = mysql_connect($hostname_localhost,$username_localhost,$password_localhost)
or
trigger_error(mysql_error(),E_USER_ERROR);

mysql_select_db($database_localhost, $localhost);

$username = $_POST['username'];
$password = $_POST['password'];
$query_search = "select * from user where username = '".$username."' AND password = '".$password. "'";
$query_exec = mysql_query($query_search) or die(mysql_error());
$rows = mysql_num_rows($query_exec);
//echo $rows;
 if($rows == 0) { 
 echo "No Such User Found"; 
 }
 else  {
    echo "User Found"; 
}
?>
Improve this question
5
  • So you want to echo the userStatuses and userPosition fields, right? Commented Aug 1, 2015 at 11:55
  • Also, in what manner do you expect the android application to get the data, is it just from the webpage's text after loading. Finally, are the db fields also called userStatuses and userPosition? Commented Aug 1, 2015 at 11:57
  • yes and i want to fetch those fields to my android application after the user successfully login Commented Aug 1, 2015 at 12:05
  • So something like this: In the first line of the page output, you have userStatuses, in the second one, userPosition. Right? Commented Aug 1, 2015 at 12:08
  • u can show me how to return one field and i will do the rest i already have PHP script that fetches the data from db to android but i want to edit the above script so that it do both " login process " and " fetching relevant data " Commented Aug 1, 2015 at 12:10

3 Answers 3

Reset to default
1

The solution you have right now is very vulnerable to SQL Injection. Here's a nice link telling you what that is: http://www.w3schools.com/sql/sql_injection.asp

To fix this, you should use something like PDO. Since you stated you don't have time to research these things, even though I would strongly recommend doing so to avoid any vulnerabilities like this one, I will replace your entire code with the non-vulnerable version:

<?php
$hostname_localhost ="";
$database_localhost ="";
$username_localhost ="";
$password_localhost ="";
$localhost = new PDO("mysql:host=$hostname_localhost;dbname=database_localhost", $username_localhost, $password_localhost);

$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from user where username = :username AND password = :password";
$query->bindValue(':username', $username);
$query->bindValue(':password', $password);
$query->execute;

$results = $query->fetchAll();

if(count($results) == 0)
    echo "No Such User Found";
else {
    echo "User Found";
    $data = array("userStatuses" => $results[0]["userStatuses"]
              "userPosition" => $results[0]["userPosition"]);

    echo json_encode($data)

    // OR

    echo $results[0]["userStatuses"].'<br/>'.$results[0]["userPosition"];
}
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

i fixed ur answer a little and it now works just fine i will post the the fixed answer , thanks dude :)
@MohNage7 Thanks for fixing it bro :D
0

After this portion of your code

$query_search = "select * from user where username = '".$username."' AND password = '".$password. "'";

$query_exec = mysql_query($query_search) or die(mysql_error());
$rows = mysql_num_rows($query_exec);
//echo $rows;
if($rows == 0) { 
   echo "No Such User Found"; 
 }
 else  {
    echo "User Found"; 
 }

Do the following

$otherDetails = array();
while ( $row = mysql_fetch_assoc($query_exec) ) {
    $otherDetails['userStatues'];
    $otherDetails['userPosition'];
}
//$otherDetails contains what you want
//you can send it down as json
echo json_encode( $otherDetails );

PLEASE NOTE: The line below present in your code:

$query_search = "select * from user where username = '".$username."' AND password = '".$password. "'";

Is source of security issues. E.g SQL injection and also shows that you are not encrypting your passwords in the database.

Use Php PDO to solve the SQL injection problem and use some hashing algorithms to solve the plain text password problem.

Cheers

Improve this answer

4 Comments

This is vulnerable to SQL injection, why not use PDO?
Oh there's more! The fact that he is selecting the user with a password without any hashing what so ever suggests that the password is saved in plain text! Which is a security risk also. I just used the code he was already working with so i don't cause more confusion.
Yeah, @MohNage7 I would recommend reading more into these things, you will cause a lot of security issues otherwise
@Makville it returns an empty array , but hey thanks ;)
0

after fixing @Lightwind answer's , here's the answer

<?php
$hostname_localhost ="";
$database_localhost ="";
$username_localhost ="";
$password_localhost ="";
$options_localhost  = array (PDO::ATTR_ERRMODE=>  PDO::ERRMODE_EXCEPTION);

$localhost = new PDO("mysql:host=$hostname_localhost;dbname=$database_localhost;charset=utf8", $username_localhost, $password_localhost,$options_localhost);

$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING , NULL) ;;
$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING , NULL) ;

$query  =  "select * from user where username = :username AND password = :password";
$sql     =$localhost->prepare ($query);
$sql->bindparam(':username', $username,PDO::PARAM_STR);
$sql->bindparam(':password', $password,PDO::PARAM_STR);
$sql->execute();

$results = $sql->fetchObject();

if (count($results) == 0) {
    echo "No Such User Found";
} else {
    echo "User Found";
    $data = array("status" => $results->userStatus);
    echo json_encode($data);
}
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.