How To Check A Query...

[Sharlenwar]

Okay, I thought I knew what I was doing. I have done some tests, and I have the mysqli working as I expect for when you register, it inserts it into the correct database and it seems to be the correct data. Now when I come to where you need to login, it always tells you to Try Again.

I know I might be missing a step or doing something wrong, I just don't see it. I even used this to check my statement.

Code: Select all

<?php
/* Grindfest Code
   Created: May 13, 2014
   By: Sharlenwar aka Martin Holubec */
?>
<html>
  <head>
    <link rel="stylesheet" type="text/css" href="style.css">
  </head>
  <body id="main_html">
    <section>	
<?php
include_once 'connect.php';
session_start();

if (isset($_POST['submit']))
{
  $username=$_POST['username'];
  $password=$_POST['password'];
  $username=strip_tags($username);
  $password=strip_tags($password);
  $password=md5($password);

  $statement=$db->prepare('SELECT aid FROM accounts WHERE username=? AND password=?');
  $statement->bind_param('ss', $username, $password);
  $statement->execute();
  
  $rowAID=0;
  $statement->bind_result($rowAID);
  
  /* ***this is not doing a check!*** */
  if ($rowAID)
  {
    $_SESSION['account']=$rowAID;

    echo "<big>" . $rowUserName . " has logged in successfully! rowAID=" . $rowAID . "<br>";
    echo "<a href='index.php'>Continue</a></big>";
  }
  else
  {
    echo "<big>Wrong username or password!<br>";
    echo "<a href='login.php'>Try Again</a></big>";
  }
}
?>
    </section>
	<section>
	  <br>Demuria Studios © 2014
	</section
  </body>
</html>

I'll keep trying, but I'm stuck as to why the query isn't returning the AID from the accounts table.

Thanks for any help!

[kaos78414]

I don't know what

Code: Select all

$statement->bind_result();

is doing, but is it returning the value of something?

I would assume that after you call that function $rowAID still = 0, which is falsey in PHP so

Code: Select all

if ($rowAID)

will resolve to false.

Try doing

Code: Select all

var_dump($rowAID);die();

after

Code: Select all

$statement->bind_result($rowAID);

And see there if $rowAID is still == 0. If it is, try passing the var by reference:

Code: Select all

 $statement->bind_result(&$rowAID);

See this doc: http://www.php.net/manual/en/language.r ... s.pass.php

[Winawer]

You're not fetching from the result set so $rowAID is null.

See http://www.php.net/manual/en/mysqli-stmt.fetch.php

[kaos78414]

Ah, Winawer is right. I just assumed bind_result() was a function for a custom class you had written.

[Sharlenwar]

Those references to me are like reading gibberish. Trying to understand what I'm doing wrong. What is the right way to get the information from the database so you can work with it?

I'm still stuck here, and will be until I can figure this out.

What I have tried to do was try and put in some debug code to see where it is failing. I have done something like this in the code:

Code: Select all

$statement=$db->prepare('SELECT * FROM accounts WHERE username=? AND password=?');
  
  if (!$statement->bind_param('ss', $username, $password)) {
    echo "Binding parameters failed: (" . $statement->errno . ") " . $statement->error;
  }

And the binding is happening, as no error is being returned. As far as the SELECT, I know the username and password I am trying to pull up is accurate according to the database.

I'll keep looking, but some examples other than the silly reference material would be helpful.

[Sharlenwar]

Okay, did some searching on the web and I have no clue why this isn't working:

Code: Select all

$statement=$db->prepare('SELECT * FROM accounts WHERE username=? AND password=?');
  
  $statement->bind_param('ss', $username, $password);
 
  $statement->execute();
  
  $rowAID=0;
  $rowUsername='';
  $rowPassword='';
  $rowEmail='';
  $rowDateRegistered='';
  $rowPrivilege=0;
  $rowTokens=0;
  
  $statement->bind_result($rowAID,$rowUsername,$rowPassword,$rowEmail,$rowDateRegistered,$rowPrivilege,$rowTokens);
  
  if (!$statement->fetch())
  {
    echo "What the fuck!?";
  }
  else
  {
    while($statement->fetch())
    {
    printf("%s %s/n", $rowUsername, $rowAID);
    }
  }

So if we start with the SELECT statement, what I'm trying to do here is select all of the rows with all of the columns of the username & password that match the login page parameters you type in. That is where the $username and $password come from when I bind them. Then I want to execute the statement so that it can give me the match. Here is the kicker, for some strange reason when I do the fetch(), it seems to fail and give me the "What the fuck!?".

What is the proper way of doing this stuff? I thought this mySQLi stuff would be a breeze, this is being more challenging than I expected.

Edit: Reason I am confused is because this code works as expected:

Code: Select all

<?php
/* Grindfest Code
   Created: May 13, 2014
   By: Sharlenwar aka Martin Holubec */
?>

<html>
  <head>
    <link rel="stylesheet" type="text/css" href="style.css">
  </head>
  <body id="main_html">
    <section>
<?php
include_once 'connect.php';

$username=$_POST['username'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$username=strip_tags($username);
$email=$_POST['email'];
$email=strip_tags($email);

if ($email == "")
{
  echo "You didn't enter a email address!<br>";
  echo "<a href='register.php'>Go Back</a>";
  exit;
}

if ($password==$password2)
{
  $statement=$db->prepare('SELECT * FROM accounts WHERE username=?');
  $statement->bind_param("s", $username);
  
  $rowAID=0;
  $rowUsername='';
  $rowPassword='';
  $rowEmail='';
  $rowDateRegistered='';
  $rowPrivilege=0;
  $rowTokens=0;
  $statement->bind_result($rowAID,$rowUsername,$rowPassword,$rowEmail,$rowDateRegistered,$rowPrivilege,$rowTokens);
  $statement->execute();

  if (!$_POST['password'] || !$_POST['password2'])
  {
    print "You did not enter a password!<br>";
    echo "<a href='register.php'>Go Back</a>";
    exit;
  }
  else if ($statement->fetch() || strlen($username) > 30 || strlen($username) < 1)
  {
    print "There is already a user of that name, or the name you have specified is over 30 letters or less than 1 letter.<br>";
    echo "<a href='register.php'>Go Back</a>";
    exit;
  }
  else
  {
    $statement2=$db->prepare('SELECT * FROM accounts WHERE email=?');
	$statement2->bind_param('s', $email);
	
	$rowAID2=0;
    $rowUsername2='';
    $rowPassword2='';
    $rowEmail2='';
    $rowDateRegistered2='';
    $rowPrivilege2=0;
    $rowTokens2=0;
	
	$statement2->bind_result($rowAID2,$rowUsername2,$rowPassword2,$rowEmail2,$rowDateRegistered2,$rowPrivilege2,$rowTokens2);
    $statement2->execute();

    if ($statement2->fetch())
    {
      print "There is already a player with that email address!<br>";
      echo "<a href='register.php'>Go Back</a>";
	  exit;
    }
    else
    {
      $password=md5($password);

      $statement3=$db->prepare('INSERT INTO accounts(username,password,email) VALUES(?,?,?)');
	  $statement3->bind_param('sss', $username, $password, $email);
      $statement3->execute();
	  
      print "Thank you for registering!<br>";
    }
  }
}
else
{
  print "Your password didn't match or you did not enter a password!<br>";
  echo "<a href='register.php'>Go Back</a>";
  exit;
}

echo "<a href='login.php'>Login Page</a>";
?>
    </section>
  </body>
</html>

[Winawer]

You can use mysqli::$error to see what's going wrong: http://www.php.net/manual/en/mysqli.error.php

If there's no error your query is returning zero rows. You can echo the variables (probably $password is the problem since username works in your other code fragment, perhaps you're forgetting to hash it or something) to check that the values are as expected.

[Sharlenwar]

@Winawer: Okay, so you won't believe this, but it was a very silly mistake. The md5 hashing needs so many characters, I was chopping off the characters at 30 in the appropriate password column in the accounts table. I changed this number to 50 and it seems to function as it should. I wrote this code to test inserting, deleting, and connecting using PDO.

Code: Select all

<?php
/* PDO & mySQLi Testing Stuff */

$bypass=0;
   
# connect to the database
try {
  $db=new PDO("mysql:host=localhost;dbname=grindfest", 'root', '');
  $db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
}
catch(PDOException $e) {
    echo "DEBUG: Database Error - PDOException";
    echo $e->getMessage();
}

/* simple query - dumping the whole table out */
if(isset($_POST['simple']))
{
  $bypass=1;
  
  echo "<br><b><u>Simpe Query Results</b></u><br>";
  $statement=$db->query("SELECT aid,username,password,email FROM accounts");
  $statement->setFetchMode(PDO::FETCH_OBJ);
 
  # showing the results
  while($row=$statement->fetch())
  {
    echo "AID=" . $row->aid . "<br>";
    echo "Username=" . $row->username . "<br>";
	echo "Password=" . $row->password . "<br>";
    echo "Email=" . $row->email . "<br><br>";
  }
}

/* inserting into the database */
if(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['email']))
{
  $bypass=1;
  $username=$_POST['username'];
  $password=$_POST['password'];
  $password=md5($password);
  $email=$_POST['email'];
  $data=array($username, $password, $email);
  $statement=$db->prepare("INSERT INTO accounts(username,password,email) VALUES(?,?,?)");
  $statement->execute($data);
  
  echo "<br>Inserted " . $username . " into the database!<br>";
  echo "<br>Next Row To Insert:" . $db->lastInsertId() . "<br>";
}

/* specific query - returning the result from matched username & password */
if(isset($_POST['username2']) && isset($_POST['password2']))
{
  $bypass=1;
  $username=$_POST['username2'];
  $password=$_POST['password2'];
  $password=md5($password);
  
  $statement=$db->query("SELECT * FROM accounts WHERE username='$username'");
  #statement=$db->query("SELECT * FROM accounts WHERE username='$username' AND password='$password'");
 
  # setting the fetch mode
  $statement->setFetchMode(PDO::FETCH_OBJ);
 
  
  while($row=$statement->fetch())
  {
    if($row->password == $password)
	{
      echo "AID=" . $row->aid . "<br>";
      echo "Username=" . $row->username . "<br>";
	  echo "Password=" . $row->password . "<br>";
      echo "Email=" . $row->email . "<br>";
	  echo "Tokens=" . $row->tokens . "<br>";
	}
	else
	{
	  echo "Passwords don't match AID=" . $row->aid . "<br>";
	}
  }
}

/* delete from database - matching username and password */
if(isset($_POST['delete']))
{
  $bypass=1;
  $username=$_POST['username3'];
  $password=$_POST['password3'];
  $password=md5($password);
  
  $statement=$db->query("SELECT * FROM accounts WHERE username='$username' AND password='$password'");
  
  if($row=$statement->fetch())
  {
    echo $username . "has been removed from accounts.<br>";
    $db->exec("DELETE FROM accounts WHERE username='$username' AND password='$password'");
  }
}

if(!$bypass)
{
  ?>
  <b><u>Simple Query of Database</u></b><br>
  <form method="post" action="testing.php">
  <input type="hidden" name="simple" value="1">
  <input type="submit" value="Query Database" name="submit"></form>
  <br>
  <form method="post" action="testing.php">
  <b><u>Insert Into Database</u></b><br>
  <input type="text" name="username" size="30" placeholder="Username">
  <br>
  <input type="password" name="password" size="30" placeholder="Password">
  <br>
  <input type="text" name="email" size="30" placeholder="Email Address">
  <br>
  <input type="submit" value="Insert Into Database" name="submit"></form>
  <br>
  <b><u>Specific Query of Database</u></b><br>
  <form method="post" action="testing.php">
  <input type="text" name="username2" size="30" placeholder="Username">
  <br>
  <input type="password" name="password2" size="30" placeholder="Password">
  <br>
  <input type="submit" value="Specific Query of Database" name="submit"></form>
  <br>
  <b><u>Remove From Database</u></b><br>
  <form method="post" action="testing.php">
  <input type="text" name="username3" size="30" placeholder="Username">
  <br>
  <input type="password" name="password3" size="30" placeholder="Password">
  <br>
  <input type="hidden" name="delete" value="1">
  <input type="submit" value="Remove From Database" name="submit"></form>
  <?php
}

echo "<br><a href='testing.php'><i>Reload</i></a>";

#closes the database
$db=null;
?>

I think I am starting to get the hang of how it all works. The mud is starting to clear up, now instead of being this black thick sludge, it is now murky water.

Thanks for bearing with me, I'll post up anything if I encounter any hiccups.