I am writing a simple user/login system in Php with postgresql.
I have a function that confirms whether username/passwords exists, which gets activated when a user presses the Login button.
public function confirmUserPass($username, $password){
$username=pg_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM users WHERE email = '$username'";
$result = pg_query($this->link,$q);
/* Do more operations */
}
I want to print the query stored in $results such that I can see it on the browser. When I do it in phppgAdmin using SQL it shows me the output but I cannot see it on the browser. I tried echo and printf but I could not see anything on the browser. I also tried to see view source from the browser but it shows nothing.
Can somebody help me with that?
Regards
From your code:
$result = pg_query($this->link,$q);As you’ve found already, trying to display the contents of
$resultfrom the line above will not give you anything useful. This is because it doesn’t contain the data returned by the query; it simply contains a “resource handle”.In order to get the actual data, you have to call a second function after
pg_query(). The function you need ispg_fetch_array().pg_fetch_array()takes the resource handle that you’re given in$result, and asks it for its the next set of data.A SQL query can return multiple results, and so it is typical to put
pg_fetch_array()into a loop and keep calling it until it returns false instead of a data array. However, in a case like yours where you are certain that it will return only one result, it is okay to simply call it once immediately afterpg_query()without using a loop.Your code could look like this:
Once you have
$data, then you’ve got the actual data from the DB.In order to view the individual fields in
$data, you need to look at its array elements. It should have an array element named for each field in the query. In your case, your query only contains one field, so it would be called$data['password']. If you have more fields in the query, you can access them in a similar way.So your next line of code might be something like this:
If you want to see the raw data, you can display it to the browser using the
print_r()orvar_dump()functions. These functions are really useful for testing and debugging. (hint: Wrap these calls in<pre>tags in order for them to show up nicely in the browser)Hope that helps.
[EDIT: an after-thought]
By the way, slightly off-topic, but I would like to point out that your code indicates that your system may not be completely secure (even though you are correctly escaping the query arguments).
A truly secure system would never fetch the password from the database. Once a password has been stored, it should only be used in the
WHEREclause when logging in, not fetched in the query.A typical query would look like this:
In this case, the password would be stored in the DB as a hashed value rather than plain text, and the
WHEREclause would compare that against a hashed version of the password that has been entered by the user.The idea is that this allows us to avoid having passwords accessible as plain text anywhere in the system, which reduces the risk of hacking, even if someone does manage to get access to the database.
It’s not foolproof of course, and it’s certainly not the whole story when it comes to this kind of security, but it would definitely be better than the way you seem to have it now.