Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    Jun 2007
    Location
    UK
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    MYSQL e-mail query in PHP

    This is a search I wrote, which will be looking for a unique email address in a database and bring back the fields that I asked for (for 1 record). I believe I have done the right thing using mysql_results (please advise if not..)

    My problem comes when the e-mail address does not exist.. It brings up an error about not being able to select that record.

    I need an "if" written in PHP so i can script what to do if the e-mail address is not registered.

    PHP Code:
    $query "SELECT `user_id`, `user_email`, `username` FROM `database` WHERE `user_email` = '$_POST[email]'";

    $result mysql_query($query);

    $userid=mysql_result($result,0,"user_id"); 
    Thanks in advance,

    - Mutasim

  • #2
    Regular Coder
    Join Date
    Apr 2007
    Posts
    295
    Thanks
    0
    Thanked 19 Times in 19 Posts
    First, sanitize your input!

    All someone has to do is set their email to something like this and they'll drop your database, that = bad
    Code:
    '; DROP TABLE database; SELECT * FROM database WHERE user_id='
    To sanitize, do something like
    PHP Code:
    $email mysql_real_escape_string($_POST['email']); 
    For your problem, something along the lines of this should work
    PHP Code:
    if(!empty(trim($email)))
    {
         
    // If the email is not empty, query the result

    Last edited by mr e; 06-06-2007 at 09:18 PM.

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,092
    Thanks
    2
    Thanked 322 Times in 314 Posts
    The mysql_result() function, besides being the SLOWEST way to get a piece of data from the result set, has the unfortunate problem of throwing a PHP Warning message when the result set contains no rows, because it always attempts to access the row given by the second parameter.

    If you want to use the mysql_result() function, you must first use the mysql_num_rows() function to insure that there is at least a row with the row number that you are accessing, or

    You should use one of the mysql_fetch_xxxxxx functions. They operate faster than the mysql_result() and they don't throw a Warning message when there are no rows in the result set.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,084
    Thanks
    11
    Thanked 100 Times in 98 Posts
    All someone has to do is set their email to something like this and they'll drop your database
    MySQL does not support chained queries so that will not work , that said, mr e is correct in that all potentially tainted data needs to be sanitized.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    New Coder
    Join Date
    Jun 2007
    Location
    UK
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by mr e View Post
    All someone has to do is set their email to something like this and they'll drop your database, that = bad
    I appreciate your concern , I think I already have that covered in PHP:
    (Only to avoid spamming)
    PHP Code:
    if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$"$_POST[email]))
                 {
                 
    // e-mail is valid so search, if not register

    So I need to use mysql_fetch ? Please advise

  • #6
    Regular Coder
    Join Date
    Jun 2007
    Location
    N. Ireland
    Posts
    351
    Thanks
    16
    Thanked 4 Times in 4 Posts
    Yeah,

    I would query the number of rows containing the required fields
    if(Query_num_rows <1){
    //error
    } else {
    //run query
    }

    Hope this helps.

    D.

  • #7
    New Coder
    Join Date
    Jun 2007
    Location
    UK
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Which mysql_fetch shall I use ??

  • #8
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    My recommendation is mysql_fetch_assoc().

    if(Query_num_rows <1){
    This is not helpful. Invalid name, and it's not called as a function. PHP would treat it as a constant, one which does not exist (which results in a warning).

    PHP Code:
    if (mysql_num_rows($result) < 1) { 
    Last edited by aedrin; 06-07-2007 at 06:39 PM.

  • #9
    New Coder
    Join Date
    Jun 2007
    Location
    UK
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    :P

    Yea , I kinda guessed that is wasn't that code... I'm not a complete n00b

    this is what I did...

    not sure if i need to and how to include mysql_fetch_assoc

    PHP Code:
                            $result mysql_query($query);
                
                if (
    mysql_num_rows($result) !== 0)
                {
                
    $userid=mysql_result($result,0,"user_id"); 
                
    $username=mysql_result($result,0,"username"); 
                } 

  • #10
    Senior Coder
    Join Date
    Apr 2007
    Location
    Quakertown PA USA
    Posts
    1,028
    Thanks
    1
    Thanked 125 Times in 123 Posts
    PHP Code:
    $result mysql_query($query);
                
                if (
    mysql_num_rows($result) !== 0)
                {
                
    $row mysql_fetch_assoc($result);

                
    $userid $row['userid'];
                
    $username $row['username']; 
                } 

  • #11
    New Coder
    Join Date
    Jun 2007
    Location
    UK
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks guys... issue resolved

  • #12
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Yea , I kinda guessed that is wasn't that code... I'm not a complete n00b
    It was mostly aimed at daemonkin.

  • #13
    Regular Coder
    Join Date
    Jun 2007
    Location
    N. Ireland
    Posts
    351
    Thanks
    16
    Thanked 4 Times in 4 Posts
    sorry about that aedrin. Was just writing pseudo code quickly. If I do give snippets I'll be sure to use the PHP tags and insert the correct function names.

    D.
    Daemonkin.
    If this was helpful, please add to my reputation
    Thousand Sons - Freelance Web Developer - ninetyonedegrees.com


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •