Pdo Conditional Select Statement

[Landslyde]

Hello Forum:

 

I'm just now trying to learn PHP and read that using PDO was a better way to utilize online databases. I have my Registration page completed, storing client info in a MySQL db, all done using PDO. However, I'm having a little trouble with the Login page. I don't know if I'm using the PDO stuff the right way.

 

    $stmt = $db->prepare('SELECT (username, password) FROM members WHERE (username) LIKE ? AND (password) LIKE ?');
    $stmt->bindValue(1, "%$uname%", PDO::PARAM_STR);
    $stmt->bindValue(2, "%$pwd1%", PDO::PARAM_STR);
    $stmt->execute();
    echo $affected_rows = $stmt->rowCount();

I'm not sure if I have the bindValue statements right, and I'm only assuming (hence the echo statement) that, if this is a valid username and password, one row will be affected. Like I said, I'm new to PHP, and this is my second day. So I imagine I have this code all wrong. Can someone set me on the right track? Much appreciated.

 

~Landslyde

[falkencreative]

I don't have a huge amount of experience with PDO... but the place to start with is checking your work against the documentation: http://php.net/manual/en/pdostatement.bindvalue.php

 

You should also check http://php.net/manual/en/pdostatement.rowcount.php: "For most databases, PDOStatement::rowCount() does not return the number of rows affected by a SELECT statement. Instead, use PDO::query() to issue a SELECT COUNT(*) statement with the same predicates as your intended SELECT statement, then use PDOStatement::fetchColumn() to retrieve the number of rows that will be returned. Your application can then perform the correct action." See example #2 in the link for a sample.

 

I would also suggest that you be checking for exact matches, not "like", because you might accidentally match something that shouldn't be matched. For example, if someone enters "password" as their password, you don't want the query to also match for "password1" and "1password2" (which I believe currently happens, due to the "%" before and after your variables. You'd what to use "=" instead.