| Evert Lammerts 2008-01-08, 7:02 pm |
| Hi Ben,
Number of things wrong with your code, look below.
> $select_sql = sprintf("SELECT `username` FROM `users` WHERE `username` =
> '$user' AND `password` = '$pass'", mysql_real_escape_string($user),
> mysql_real_escape_string($pass));
>
In the string you are printing using sprintf you need to use a
conversion specification (see http://uk2.php.net/sprintf), in your case
%s. It will look like this:
sprintf("SELECT `username` FROM `users` WHERE `username`='%s' AND `password` = '%s'", mysql_real_escape_string($user),
mysql_real_escape_string($pass))
> if($select_sql_two)
As Peter points out, mysql_query (http://uk2.php.net/mysql_query) will
always return a resource if and only if the query syntax was correct,
even if the actual result set is empty. Knowing that anything that is
not <= 0, null or false will return true, the above condition will
always be true (which is why the login works). So instead, use one of
the mysql_fetch functions, e.g.
if ($row = mysql_fetch_array($select_sql_two))
Couple of other tips. Put your php functionality for login in a
function, with username and password as parameters (function
login($user, $pass)). This way you can reuse it, and it makes your code
a lot easier to handle. Also, instead of printing an HTML redirect I'd
recommend doing the redirect in the HTTP header (http://uk.php.net/header).
if (!empty($_POST['username']) && !empty($_POST['password']))
login($_POST['username'], $_POST['password']);
else header(|'location: members.php'|);
Do remember that in order to use the header function you cannot output
anything else before the function is called, like it says in the manual.
|