Posted by David Haynes on 10/03/61 11:43

comp_guy wrote:
> hey guys, i have been working on a simple form which validates if a
> user is valid or not. i am a newbie and just want to deny unauthorised
> access to a 'members' page. I wish to compare the password entered by
> the user with that they entered into their submitted registration
> form.. however i keep getting a mySQL error message 'query was empty'.
> i was hope someone would know my failings! here is my code:
>
> <?php
>
> $connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc","my
> password here");
>
> $password=$_POST['password'];
>
> mysql_select_db("sjcdb",$connection) or die("failed!");
>
> $sql = mysql_query("SELECT * FROM users WHERE password = '$password'");
>
> $result = mysql_query($sql)or die(mysql_error());
>
> $rows = mysql_num_rows($result);
>
> if ($rows){
>
> if ($password == $row[9]){
>
> header("Location:members.html");
> }
> else
> {
> header("Location:register.html");
> exit;
> }
> }
> mysql_close();
>
> ?>
>

A couple of observations...

This:
$sql = mysql_query("SELECT * FROM users WHERE password = '$password'");

sets $sql to be the result set of the query...
while this:
$result = mysql_query($sql)or die(mysql_error());

tries to do another query using the result set. That's just not right.

I suggest you do something like:
$sql = "select count(*) from users where password = '$password'";
$result = mysql_query($sql, $connection);

$row = mysql_fetch_row($result);
if( $row[0] ) {
...

mysql_free_result($result);
mysql_close($connection);

Also, your second comparison to $row[9] is not needed. The password
match is already accounted for in the where clause of the SQL query.

-david-

[Back to original message]