password sql misery

[Thomas001]

I'm trying to retreive a password out of a database


function Verify()
{
$query = mysql_query($run);
$run = " SELECT * FROM $dbtable WHERE acc='$sent_acc' AND pass='$sent_pass'; ";

if($run)
return true;
else
return false;
}

it always returns true


this is where I'm trying to verify if the password is correct.

 

[kenrbnsn]

I think your code is in the wrong order. Don't you want:

$query = " SELECT * FROM $dbtable WHERE acc='$sent_acc' AND pass='$sent_pass'; ";
$run = mysql_query($query);
if ($run)...

 

[Thomas001]

That seems a bit better, however $run is always returning blank..

I've put this through tests and it can see the database though.

 

[Vragabond]

As far as I know, your logic is flawed. $run in this case will return result handler, not actual data from the database. As long as there is nothing wrong with the SQL, it will return true. Even if there are no rows, since that is still a valid SQL query. You should look into mysql_num_rows to check if your query has produced more than 0 rows. If it has, return true, else false.

 

[DRJ478]

You are mistaking the outcome of the mysql_query for the returned data. WHat mysql_query returns is a result identifier. You need to fetch the data from that identified resource. I suggest you read my FAQ on that: faq434-3850

Also, do the password go unencrypted into the table? Probably not a good idea.

 

[Thomas001]

uh huh..


function Verify()
{
$query = " SELECT * FROM $dbtable WHERE acc='$sent_acc' AND pass='$sent_pass'; ";
$run = mysql_num_rows(mysql_query($query));

if($run == 0)
return true;
else
return false;

}

 

[DRJ478]

Alternative:

$SQL = "SELECT count(*) AS run FROM $dbtable WHERE ....";
$result = mysql_query($SQL) OR die(mysql_error());
$row = mysql_fetch_assoc($result);
return $row['run'];

This actually counts the records with that user/pass combination.
I would also recommend to add error checking to the mysql_query (as above).
[/code]