Cannot call value from mysql

Question

I've tried many times to call the values but it's failed. Maybe my code is not perfect enough.

loginprocess.php //this is the process to call the value

<?php
include("connection.php");
$noic = mysql_real_escape_string($_POST['noic']);
$katalaluan = md5(mysql_real_escape_string($_POST['katalaluan']));

$query = mysql_query("SELECT * FROM daftar_pengguna WHERE noic = '".$noic."'  
AND katalaluan = '".md5."'");
$count=mysql_num_rows($query);

if($count==0)
     {
     echo "Tiada rekod di jumpai.<br>";
     echo "<a href='index.php'>Kembali</a>";
     }
     else
     {
     $row=mysql_fetch_array($query);
     echo("<script>location.href = 'carianstatuspemohonresult.php?
     id=$row[noic]';</script>");
     }
     ?>

userinfo.php //this is to display the value

  <?php 
  include ("connection.php");
  $getId=$_REQUEST["id"]; 

  $query= "SELECT * FROM daftar_pengguna WHERE noic='$getId'";
  $result=mysql_query($query);

  <table width="50%" border="1" align="center">
<?php 
while($row=mysql_fetch_array($result))
{
?>
<tr>
<td align="center"><b>NAMA</b></td>
<td align="center"><?php echo $row["nama"];?></td>
</TR>

<TR>
<td align="center"><b>NO IC</b></td> 
<td align="center"><?php echo $row["noic"];?></td>
</TR>

<TR>
<td align="center"><b>KATA LALUAN</b></td>
<td align="center"><?php echo $row["katalaluan"];?></td>
</TR>

<TR>
<td align="center"><b>JAWATAN</b></td>
<td align="center"><?php echo $row["jawatan"];?></td>
</tr>
<tr>
<td align="center"><b>PERINGKAT</b></td>
    <td align="center"><?php echo $row["peringkat"];?></td>
</tr>

<tr>
<td align="center"><b>EMAIL</b></td>
    <td align="center"><?php echo $row["email"];?></td>
</tr>
 <?php } ?>
</td></table>

And sorry. I'm using mysql. Hope you can help me fix them even though I'm using the mysql. Also, hope you can understand the code without understanding the malay language. Tell me if you need to see other code.

I've changed them. It's the same result. No values called. Hmmm.. :(

I need to look at your actual code seems like you are calling $row=mysql_fetch_array($result) twice — Sandip Patel, Feb 02 '17 at 17:35
***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Feb 02 '17 at 17:53
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Feb 02 '17 at 17:53
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Feb 02 '17 at 17:54

score 0 · Answer 1 · answered Feb 02 '17 at 17:34

0

You create a md5 value from a posted value, but aren't including it in your WHERE clause... Try ...

$query = mysql_query("SELECT * FROM daftar_pengguna WHERE noic = '".$noic."'  
AND katalaluan = '".$katalaluan."'");

answered Feb 02 '17 at 17:34

Duane Lortie

1,285
1
12
16

let me check it first – ila dila Feb 02 '17 at 17:37
is it needed?why tho? – ila dila Feb 02 '17 at 17:45
You had.. `WHERE ... AND katalaluan = '".md5."'"); ' I assume not every record will have "md5" in that column md5 is a function, you used it yourself to create a unique value from $_POST['katalaluan'] – Duane Lortie Feb 02 '17 at 17:53

Felippe Duarte · Answer 2 · 2017-02-02T17:58:41.823

You have two while fetching data on userinfo.php file:

 while($row=mysql_fetch_array($result)){ // <- Remove this one
 ?>

 <table width="50%" border="1" align="center">
<?php 
while($row=mysql_fetch_array($result))

Later in the first file use proper quotes around "noic":

echo("<script>location.href = 'carianstatuspemohonresult.php?
 id=$row['noic']';</script>"); //<-- noic => 'noic'

It seems that you have to remove the first one.

EDIT: Also, you should follow the @DuaneLortie solution and use the variable you've created in your query:

$query = mysql_query("SELECT * FROM
                           daftar_pengguna
                       WHERE noic = '".$noic."'
                         AND katalaluan = '".$katalaluan."'");

Your code has a sintax error. md5 is a function and you are using as a variable.

You should stop using mysql_* functions since it's deprecated in PHP 5.5 and removed in PHP 7. And finally, md5 hash isn't secure for hashing passwords. Use bcrypt instead.

Cannot call value from mysql

2 Answers2