Unable to retrieve data from MySQL table

Question

Firstly, I am new to php. I am also new to MySQL, so be gentle with me. Secondly, I know mysql_* is depreciated and this will be fixed at a later point once I understand more.

So I have the following code:

        if(isset($_POST['email']) && !empty($_POST['email']) AND isset($_POST['password']) && !empty($_POST['password'])){
            $email = mysql_escape_string($_POST['email']);
            $password = mysql_escape_string($_POST['password']);

            $search = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$password."' AND active='1'") or die(mysql_error()); 
            $match  = mysql_num_rows($search);

            if($match > 0){
                $user=$search['forename'] .' '.$search['surname'];
                $_SESSION['username']=$user;
                $msg = 'Login Complete! Thanks, '.$user.'!';
            }else{
                $msg = 'Login Failed!<br /> Please make sure that you enter the correct details and that you have activated your account.';
            }
        }

Quite simply, I am checking that the email and password match(I know it's not a hashed password...again, not an issue as it's a test). If they do, and the account has been activated, then I want to return the users first and last name (forename/surname in the users table) and store them in a session variable. If that variable isset, I want to use this information to confirm that the user has logged in(and so have access to certain pages). However, this test doesn't return the user name, instead outputting:

Login Complete! Thanks, !

Any help would be appreciated.

Answer 1

You replace your code /*************Your Code****/ if(isset($_POST['email']) && !empty($_POST['email']) AND isset($_POST['password']) && !empty($_POST['password'])){ $email = mysql_escape_string($_POST['email']); $password = mysql_escape_string($_POST['password']);

        $search = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$password."' AND active='1'") or die(mysql_error()); 
        $match  = mysql_num_rows($search);

        if($match > 0){
            $user=$search['forename'] .' '.$search['surname'];
            $_SESSION['username']=$user;
            $msg = 'Login Complete! Thanks, '.$user.'!';
        }else{
            $msg = 'Login Failed!<br /> Please make sure that you enter the correct details and that you have activated your account.';
        }
    }

To

/*************MY Code****/

    if(isset($_POST['email']) && !empty($_POST['email']) AND isset($_POST['password']) && !empty($_POST['password'])){
        $email = mysql_escape_string($_POST['email']);
        $password = mysql_escape_string($_POST['password']);

        $search = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$password."' AND active='1'") or die(mysql_error()); 
        $match  = mysql_num_rows($search);

        if($match > 0){
            $search = mysql_fetch_array($search); 
            $user=$search['forename'] .' '.$search['surname'];
            $_SESSION['username']=$user;
            $msg = 'Login Complete! Thanks, '.$user.'!';
        }else{
            $msg = 'Login Failed!<br /> Please make sure that you enter the correct details and that you have activated your account.';
        }
    }

Answer 2

Remember the the value return by mysql_query is resource so you need to fetch the result row as an associative array.

while ($row = mysql_fetch_assoc($search)) 
{
    $user=$row['forename'] .' '.$row['surname'];
    $_SESSION['username']=$user;
}

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

• How to prevent SQL injection in PHP?

Answer 3

You need to do $row = mysql_fetch_array($search);

And then

$user=$row['forename'] .' '.$row['surname'];