1

I have the following problem :

I recover several informations on my database, and I succeed to display it in a TextView on my Android phone. The problem is that when I do MySQL request, I compare mail with "a@a.a".

$query = $handler->query('SELECT name, firstName, mail, nationality, city FROM login WHERE mail = "a@a.a"');

And I try to compare with $_SESSION['mail'] but with this method, I've any results.

$query = $handler->query('SELECT name, firstName, mail, nationality, city FROM login WHERE mail = "'.$email.'"');

Maybe the problem is with the session_start() or $_SESSION[] but I don't find, so if you can help me !!

I put below my different codes :

config.php

<?php
try{
$handler = new PDO('mysql:host=localhost;dbname=project', 'root', 'xxxx');
$handler->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

 session_start();
 $email = $_SESSION['mail'];
 echo "$email + toto";

 }catch(Exception $e){
   echo $e->getMessage();
   die();
}
?>

login.php

<?php
$connect = mysql_connect('localhost','root','aragorn11') or die ("erreur de connexion");
mysql_select_db('project',$connect) or die ("erreur de connexion base");
session_start();
$email=$_SESSION['mail'];

// Recup elem to make the login_connection
$password=$_POST["password"];
$mail=$_POST["mail"];

if (!empty($_POST)) {
if (empty($_POST['mail']) || empty($_POST['password'])) {
// Create some data that will be the JSON response 
      $response["success"] = 0;
      $response["message"] = "One or both of the fields are empty .";

      //die is used to kill the page, will not let the code below to be executed. It will also
      //display the parameter, that is the json data which our android application will parse to be //shown to the users
      die(json_encode($response));
  }
 $query = " SELECT * FROM login WHERE mail = '$mail'and password='$password'";

   $sql1=mysql_query($query);
$row = mysql_fetch_array($sql1);
if (!empty($row)) {
   $response["success"] = 1;
      $response["message"] = "You have been sucessfully login";
  $_SESSION['mail'] = $mail;
die(json_encode($response));
}
else{

$response["success"] = 0;
      $response["message"] = "invalid mail or password ";
die(json_encode($response));
 }   
}
else{

 $response["success"] = 0;
      $response["message"] = " One or both of the fields are empty ";
die(json_encode($response));
}
mysql_close();
?>

And info.php :

<?php
include ('config.php');

$query = $handler->query('SELECT name, firstName, mail, nationality, city FROM login WHERE mail = "'.$email.'"');
$records = array();
$records = $query->fetchAll(PDO::FETCH_ASSOC);
$json['login'] = $records;
echo json_encode($json);
?>

Thank you very much for your help.

Mike Laren
  • 8,028
  • 17
  • 51
  • 70
mickey74
  • 71
  • 6
  • 2
    Why are you using `PDO` in your `config.php` and `info.php`, but `mysqli_*` in your `login.php`? – Sean Feb 15 '15 at 23:21
  • Try echoing the `$email` variable to see what is in there. If the hardcoded query works probably the problem is in the variable. – Alvaro Flaño Larrondo Feb 15 '15 at 23:30
  • See [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/q/60174/2257664). What happens if `$_POST['mail']` is `'; DELETE FROM login;'`? – A.L Feb 15 '15 at 23:47
  • Try to put the `session_start()` on the top most. And make sure no output is sent (not even whitespaces) before it. – kabirbaidhya Feb 16 '15 at 03:19

0 Answers0