How to display data from database after login

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

New php-forum User
New php-forum User
Posts: 1
Joined: Tue Oct 30, 2012 11:55 pm

How to display data from database after login

Postby syquek » Wed Oct 31, 2012 12:00 am

This is my code which i edited from my lecturer. I have tried several times but it couldn't relieve the results from the database. Is there anything wrong with the coding? I am able to connect to the database not not able to display the datas.

<title>User interface</title>
<h1>user interface</h1>
// create short variable names

if (!$user || !$pwd) {
echo 'You have not entered search details. Please go back and try again.';

if (!get_magic_quotes_gpc()){
$user = addslashes($user);
$pwd = addslashes($pwd);

@ $db = new mysqli('localhost', '', '', 'EE4717G39');

if (mysqli_connect_errno()) {
echo 'Error: Could not connect to database. Please try again later.';

$query = "select * from newsignup where ".$user." like '%".$pwd."%'";
$result = $db->query($query);

$num_results = $result->num_rows;

echo "<p>Number of books found: ".$num_results."</p>";

for ($i=0; $i <$num_results; $i++) {
$row = $result->fetch_assoc();
echo "<p><strong>".($i+1).". Title: ";
echo htmlspecialchars(stripslashes($row['Username']));
echo "</strong><br />Author: ";
echo "</p>";



User avatar
php-forum GURU
php-forum GURU
Posts: 2196
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: How to display data from database after login

Postby egami » Fri Nov 02, 2012 9:27 am

You're not off to a very good start with your PHP scripting, and I'm not trying to be rude.
So, I'll give you my $0.02 worth, and you can take it from there.

First, never take user input as valid data. Ever.

$user = $_POST['user'];

This is very, very bad.

$user = mysql_real_escape_string(strip_tags(trim($_POST['user'])));
$pass = mysql_real_escape_string(strip_tags(trim($_POST['pass']))); == Removes SQL injection from variables == removes possible tags for injection (html, body, div, etc.) = remove any white spaces before and after the string.

This eliminates any SQL injection probabilities. VERY IMPORTANT TO REMEMBER.


Code: Select all

(!$user || !$pwd) {
 echo 'You have not entered search details. Please go back and try again.';

Is all kinds of wrong. If the $_POST vars exist, but are empty, your variables will exist, but be empty. Thus the literal saying:

if NOT $user OR NOT $pwd

There are two things wrong here.
The first being the variable does exist.
The second you're saying if the user OR the password doesn't exist... throw the error. It really should be both.

So it should be written more like this..

Code: Select all

($_POST['user'] != NULL || $_POST['user'] != '') { 
= mysql_real_escape_string(strip_tags(trim($_POST['user'])));
 else { 
[] = "Username cannot be empty.";

if ($_POST['pwd'] != NULL || $_POST['pwd'] != '') { 
= mysql_real_escape_string(strip_tags(trim($_POST['pwd'])));
  // However, you should *NEVER* store passwords in clear text. 
  // $pwd = md5(mysql_real_escape_string(strip_tags(trim($_POST['pwd']))));
} else { 
[] = "Password cannot be empty or blank.";

if (!isset($error)) { 

But really, now that's out of the way..
Your SQL problem is this..

$query = "select * from newsignup where ".$user." like '%".$pwd."%'";
This means..
SELECT EVERYTHING FROM newsignup WHERE whatever-user-name-was-put-in-the-form LOOKS LIKE whatever-password-was-put-in-the-form. (But even then, the syntax is all kinds of wrong.)

It should probably look a bit more like..

$query = "SELECT * FROM newsignup WHERE user = '$user' AND pwd = '$pwd'";
This means..
SELECT EVERYTHING FROM newsignup WHERE the field 'user' is exactly what-ever-username-was-entered AND the pwd field is exactly what-ever-password-was-entered-by-the-user.

This is a correctly formatted SQL query. And it's also the query you SHOULD be using as it is looking for exact matches, and not "any-thing-like". Searching for LIKE in a username/pass combo is a bad idea.

php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Re: How to display data from database after login

Postby seandisanti » Fri Nov 02, 2012 2:22 pm

You can also use helper functions to consolidate some of your code too. for example

Code: Select all

function clean($s)
   return mysql_real_escape_string(strip_tags(trim($s)));

Then you can just do

Code: Select all

$user = clean($_POST['user']);

Return to “PHP coding => General”

Who is online

Users browsing this forum: No registered users and 4 guests