Hello Andy,
Thursday, March 25, 2004, 10:43:54 AM, you wrote:
AB> So, just for the sake of me getting this right, it would be better code if i
AB> had the code like this:
AB> <?
AB> $UserExists=mysql_query("select * from users where
AB> username='$_POST[username]' and pwd=md5($_POST[password])");
AB> //since query is done see if the user exists
AB> if($UserExists) {
AB> ExistingUserCanDoSomething(); }
AB> else {
AB> YouCantDoAnythingIfYouDontExist(); }
?>>
Do you actually need to bring back the user data? What I mean is,
you're selecting * from the users table and doing nothing with it
other than worrying if the query was successful or not.
It would make far more sense if you just did this:
SELECT COUNT(username) AS hits FROM users WHERE ...
Providing your query syntax is good this will always return a value in
"hits". A zero means no users, anything above and you've got a live
one.
Also - I doubt I need to mention this, but you're injecting POST
variables directly into a SQL query. I hope your example above was
just that and isn't the actual way you're doing it?
AB> and $UserExists in this example is either true or false because "empty set"
AB> in mysql isnt even a number it = NULL
$UserExists in your example will never be TRUE, it can only ever be
FALSE. mysql_query does not, under any circumstances, return a boolean
TRUE value. It either returns a FALSE (if it was a select query) or a
*resource identifier* regardless of "empty sets".
Sometimes if this resource identifier equals the value of 1 then a
loose comparison to "true" might exist, but only because PHP is determining
this value as such, not because it really is a true boolean value.
In the example above, providing all the data is given (username and
password) the query will return what appears to be "TRUE" regardless
of what happens. Imagine you have a user "bob" in your database and
his password is "hi", look at the two following queries:
SELECT * FROM users WHERE username='bob' AND password='hi'
SELECT * FROM users WHERE username='bob' AND password='incorrect'
Both of them will make mysql_query return a resource identifier
because they are both correct from a syntax point of view. But in
actual fact they're telling you two completely different things.
Without doing a COUNT or knowing how many rows the query returned, you
cannot determine if the user does already exist or not, all you can
tell is if your query worked and an invalid user does not = an invalid
query.
--
Best regards,
Richard Davey
http://www.phpcommunity.org/wiki/296.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
