[Hyde]

What is the output of

$sql->rowcount()

?

Also, I notice that you are injecting the variables directly into the query. In PDO, the prepare method is made just for that, but in a safer and arguably nicer way :

$sql = $conn->prepare("SELECT * FROM users WHERE Password = '$password' AND Email = '$email'");
$sql->query();

$sql = $conn->prepare('SELECT * FROM users WHERE Password = :password AND Email = :email');
$sql->execute(array('password' => $password, 'email' => $email));

That's how

prepare()

is meant to be used. Otherwise, you just use

query()

.

[Cyril]

Please, indent your code It will make reading through it much easier.

What error does it give you, or where does it simply fail? I'm guessing at the prepare statement:

$sql = $conn->prepare("SELECT * FROM users WHERE Password = '$password' AND Email = '$email'");
$sql->query();

should be

$sql = $conn->prepare("SELECT * FROM users WHERE Password = ? AND Email = ?");
$sql->execute(array($password, $email));

See here:
http://webdevrefiner...sql-code-sucks/

[goldenpages]

It gives no output, thats why my if statements don't execute

So how would I output the number of rows using the SELECT statement in PDO, so I can use if statements with it?

[Hyde]

goldenpages, on 03 August 2012 - 01:00 PM, said:

It gives no output, thats why my if statements don't execute

It looks like rowCount doesn't actually return a numerical value. That would explain why your if statements are being executed.

I think the best way to look for an existing user matching an $email and $password would be this :

check post below

That way, there's is no playing with variable types. If something is fetched, the if statement will return true and the user will proceed to be signed it.

[goldenpages]

I inserted that code and that way returns me true even if its an unexisting email or password.

[Hyde]

goldenpages, on 03 August 2012 - 01:12 PM, said:

I inserted that code and that way returns me true even if its an unexisting email or password.

Shouldn't. That's how Kyek told me to check for existing record and it has always worked fine for searching a SQL database for content. Are the variables both set correctly?

Also, a few tips :

• Indent your code (as Cyril said).
  
• Using two

  '

  instead of two

  "

  when you want to make a string in which you know will not be any variables is better.

  echo "$variable";

  will display $variable's value, while

  echo '$variable';

  will display, character for character,

  $variable

  . This is because PHP doesn't scan strings within two

  '

  for variables, so that's faster when you know there aren't any variable in there.
  
• SQL row names should, just like a PHP variable's name, not start with a capital letter.
  
• Don't hesitate to ask if you don't understand something, either that we said or in the code that we showed you.

[goldenpages]

<?php

try 
{
$conn = new PDO("mysql:dbname=users;host=localhost", "register", "mysql" );
echo "Successful Connection ";
}

catch(PDOException $e)
{
echo $e->getMessage();
}

$sql = $conn->prepare("SELECT * FROM users WHERE Password = :password AND Email = :email");

$sql->bindParam(":email",$email); 
$sql->bindParam(":password",$password); 
 
$sql->execute(); 

$count = $sql->rowCount(); 
 
 
 

if ($count < 1)
{
header("Location: signin.php");
}

if ($count == 1) 
{
session_start();
$_SESSION['login'] = 1;
$_SESSION['email'] = $_POST["email"];
header("Location: home.php");
}

?>

[Hyde]

Why did you decided to go why individual

bindParam

instead of one

execute

which does everything?

Also, I just found what was wrong with the previous code I gave you. It should be the other way around :

if($check = $sql->fetchObject())
{
session_start();
$_SESSION['login'] = 1;
$_SESSION['email'] = $_POST['email'];
header("Location: home.php");
}

else
{
header("Location: signin.php");
}

instead of

if($check = $sql->fetchObject())
{
header("Location: signin.php");
}

else
{
session_start();
$_SESSION['login'] = 1;
$_SESSION['email'] = $_POST["email"];
header("Location: home.php");
}

This is because, in your code,

if ($count == 1)

is equal to

if($count == true)

or simply

if($count)

. This is also what

if($check = $sql->fetchObject())

does, except it doesn't rely on the numericallity of a value, and for this reason is better in my opinion.

I also imagine that simply performing a

fetchObject

would be easier/quicker than a

rowCount

.

If others have anything to say, it would help me

_____________________________________________________________________________________

Edit : Try this :

<?php
try 
{
$conn = new PDO('mysql:dbname=users;host=localhost', 'register', 'mysql');
echo 'Successful Connection';
}

catch(PDOException $e)
{
echo $e->getMessage();
}

$sql = $conn->prepare('SELECT * FROM users WHERE Password = :password AND Email = :email');
$sql->execute(array('password' => $password, 'email' => $email));

if($check = $sql->fetchObject())
{
session_start();
$_SESSION['login'] = 1;
$_SESSION['email'] = $_POST['email'];
header('Location: home.php');
}

else
{
header('Location: signin.php');
}
?>

And I just saw something. Do NOT select all fields (*) when you do perform a

SELECT

, especially not if you only want to make sure the user is existing. Just select one, even if you don't have any use for it.

Also, notice that I've replaced basically every

"

for a

'

.

[goldenpages]

does the code I did, somehow prevent SQL injections? if so, how?

[Hyde]

goldenpages, on 03 August 2012 - 04:59 PM, said:

does the code I did, somehow prevent SQL injections? if so, how?

Using prepared PDO statements is enough to prevent SQL injections. It could still be a good idea to make sure that the data given by the user is what it is expected to be, though. For example, that an "email" is really an email.