VenatusDev

Posted on Jun 30, 2019

I need help!

#php #help

So me and my friend are making an RPG website for fun and we've run into a problem. We suck at PHP. We are so bad that we dont even know how to pull out one value from an SQL query. Please can someone help us get the 'name' value from this SQL query in PHP7. Thanks!

<?PHP
session_start();
$email = $_POST['email'];
$password = sha1($_POST['password']);

$con = mysqli_connect('CENSORED','CENSORED','CENSORED');
mysqli_select_db($con, "BATTLE");

$q = "SELECT * FROM players WHERE email == '$email'";
$result = mysqli_query($con, $q);
$num = mysqli_num_rows($result);
if($num == 0){
$_SESSION['email'] = $email;
// GET THE NAME!!
}
?>

Top comments (7)

Martin Himmel • Jul 1 '19

The WHERE email == '$email' part of the query should be WHERE email = '$email' - SQL uses single equals sign as a comparison operator.

As for the results, try using mysqli_fetch_assoc.

Also, for passwords, don't use sha1. Use the password_hash and password_verify functions instead, as they're much more secure.

VenatusDev • Jul 2 '19

Thank you Martin for your reply, also thanks for the notice on using password_hash instead. I will try this now!

Mohammed Samgan Khan • Jul 1 '19

whats the problem you are facing? please mention the problem. Moreover, this is a commont topic too, you will find plenty of tutorials to get this info.

but ill suggest going through the PHP basic first before diving into the getting the project done.

Nick M • Jul 4 '19

You also might want to think about preparing your queries instead of putting the user input right in there.

$con = new mysqli(dbhost, dbuser, dbpass, dbname);
$params[] = $_POST['email'];
$query = "SELECT * FROM players WHERE email = ?";
$query = $con->prepare($query);
$query->bind_param(str_repeat('s', count($params)), ...$params);
$query->execute();
$result = $query->get_result();

Then when you want other fields just pop other ? in e.g.

$params[] = $_POST['email'];
$params[] = $_POST['name'];
$query = "SELECT * FROM players WHERE email = ? AND name = ?";

This goes a ways to secure you against an attack called SQL injection which is not good for business

VenatusDev • Jul 4 '19

Thank you so much for your reply, I had no idea how to be secure against SQL injections so this will definitely help!

Peyton McGinnis • Jul 1 '19

Did you try StackOverflow already? Not to be rude or anything.

VenatusDev • Jul 1 '19

Yes I did try StackOverflow before. Unfortunately I found It difficult to find an answer.

DEV Community

I need help!

Top comments (7)

Read next

How to Migrate NGINX Website to ServBay

FetchPHP 2.0: An Update To Bring Javascript's Fetch & True Async To PHP (Now With Superpowers!)

Why Zone.eu is the Top Choice for Affordable and Reliable Web Hosting

Setting Up Laravel on Your Own Server: A DIY Guide