DEV Community

VenatusDev
VenatusDev

Posted on

I need help!

So me and my friend are making an RPG website for fun and we've run into a problem. We suck at PHP. We are so bad that we dont even know how to pull out one value from an SQL query. Please can someone help us get the 'name' value from this SQL query in PHP7. Thanks!

<?PHP
session_start();
$email = $_POST['email'];
$password = sha1($_POST['password']);

$con = mysqli_connect('CENSORED','CENSORED','CENSORED');
mysqli_select_db($con, "BATTLE");

$q = "SELECT * FROM players WHERE email == '$email'";
$result = mysqli_query($con, $q);
$num = mysqli_num_rows($result);
if($num == 0){
$_SESSION['email'] = $email;
// GET THE NAME!!
}
?>

Top comments (7)

Collapse
 
martyhimmel profile image
Martin Himmel

The WHERE email == '$email' part of the query should be WHERE email = '$email' - SQL uses single equals sign as a comparison operator.

As for the results, try using mysqli_fetch_assoc.

Also, for passwords, don't use sha1. Use the password_hash and password_verify functions instead, as they're much more secure.

Collapse
 
venatusdev profile image
VenatusDev

Thank you Martin for your reply, also thanks for the notice on using password_hash instead. I will try this now!

Collapse
 
msamgan profile image
Mohammed Samgan Khan

whats the problem you are facing? please mention the problem. Moreover, this is a commont topic too, you will find plenty of tutorials to get this info.

but ill suggest going through the PHP basic first before diving into the getting the project done.

Collapse
 
latro_ profile image
Nick M

You also might want to think about preparing your queries instead of putting the user input right in there.

$con = new mysqli(dbhost, dbuser, dbpass, dbname);
$params[] = $_POST['email'];
$query = "SELECT * FROM players WHERE email = ?";
$query = $con->prepare($query);
$query->bind_param(str_repeat('s', count($params)), ...$params);
$query->execute();
$result = $query->get_result();

Then when you want other fields just pop other ? in e.g.

$params[] = $_POST['email'];
$params[] = $_POST['name'];
$query = "SELECT * FROM players WHERE email = ? AND name = ?";

This goes a ways to secure you against an attack called SQL injection which is not good for business

Collapse
 
venatusdev profile image
VenatusDev

Thank you so much for your reply, I had no idea how to be secure against SQL injections so this will definitely help!

Collapse
 
sergix profile image
Peyton McGinnis

Did you try StackOverflow already? Not to be rude or anything.

Collapse
 
venatusdev profile image
VenatusDev

Yes I did try StackOverflow before. Unfortunately I found It difficult to find an answer.