Get field in table with Mysqli

Question

Get field in table with Mysqli

Navigation

#1 by (2 votes)

0

I'm trying to create a comparison in my code to verify that the password you entered is the same as the one you entered.

I used it as follows;

function confirmaPedido ($conexao, $numeroPedido, $senha) {
$querySenha = mysqli_query($conexao, "Select senha from adm where senha = $senha");
    if (!is_numeric($numeroPedido) || empty($numeroPedido)) {
        echo "Por favor insira um NUMERO no campo numero do pedido";
    }
    elseif ($senha === $querySenha) {
        $queryApaga = mysqli_query($conexao, "delete from pedido where pedido = $numeroPedido");
        echo "Pedido finalizado com sucesso.";
    }
    else {
        echo "Senha ou Pedido não são validos, tente novamente!";
    }
}

If I use the operator to check that $senhaPedido is exactly equal to $senha the code jumps to Else. I received the response from another user but I could not understand it very well.

mysqli_query returns a mysqli_result. You will have to use mysqli_fetch_ * to get the line and then to get the "password" field.

How does query return result? What is the difference between the 2? and how do I "select" the password field in the table and check if it is identical?

php mysqli

asked by anonymous 27.03.2015 / 14:42

1 answer

Problem in using function with truncated file Undefined Index when retrieving data from POST

score 2 · Answer 1

Tidying up just what you asked for, it would look something like this:

function confirmaPedido ( $conexao, $numeroPedido, $senha ) {
   $resultado = mysqli_query( $conexao,
      "SELECT senha FROM adm WHERE senha = '$senha' "
   );

   if (!is_numeric($numeroPedido) || empty($numeroPedido)) {
      echo "Por favor insira um NUMERO no campo numero do pedido";
   }
   elseif( $result->fetch_row( $resultado ) ) {
      $queryApaga = mysqli_query($conexao, "delete from pedido where pedido = $numeroPedido");
      echo "Pedido finalizado com sucesso.";
   }
   else {
      echo "Senha ou Pedido não são validos, tente novamente!";
   }
}

The $result->fetch_row( $resultado ) is used to get the output of query . In this case, I'm not using the result itself, because if where returned something, it's because the password has already hit.

Now, here is a list of things you can take into consideration to make a more complete application:

You are storing the passwords in the database. This is bad in terms of security, the ideal would be to store it irreversibly (using some kind of hash + salt at least), and by testing the password provided by the user, repeat the process and see if hashes hit.
You are concatenating strings to do your SELECT. The ideal is to use binding to avoid SQL injections and also organize your code. Here are more details
You are first picking up the data from the DB, and testing the order number later. It is much better to test the order number, because if it is empty you do not even have to do the query , which will be in vain in this situation.