trouble with code when converting PHP code from MySql to Sqlsrv

Question

I have moved from MySql to Sqlsrv and was updating my PHP. I'm not that versed in PHP and definitely not Sqlsrv, but have been using the PHP: SQLSRV Manual. Here is my PHP code:

<?php
include '../includes/dbconfig.php';
session_start();

if($_SERVER["REQUEST_METHOD"] == "POST") {

// username and password sent from Form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
//extract($_POST);

$sql="SELECT username FROM dbname WHERE username='$myusername' and userpassword='$mypassword'";
$result=sqlsrv_query($conn,$sql) or die(print_r(sqlsrv_errors(),true));

if ($result) {
   $rows = sqlsrv_has_rows( $result );
   if ($rows === true)
        echo "There are rows. <br />";
    {
        $_SESSION['login_user']=$myusername;
        header("Location: orderform.php");
    }
   else 
    { $error="Your Login Name or Password is invalid"; }
}
}
?>

The code that is causing the problem is:

{
$_SESSION['login_user']=$myusername;
header("Location: orderform.php");
}

If I comment those lines out, the login form comes up and if I put a correct username and password, I get the "There are rows" comment. If not, I get "Your Login Name or Password is invalid". Once I put those lines back in, the login screen will not even come up. I don't get an error or anything. I've been working on this for 2 days...can someone help me out?

A few problems here. There are rows, should most likely be inside the brackets. Secondly, the location redirect is going to fail because you've sent output "There are rows" to the browser. Obligatory: this is insecure on many levels. — Matt, Mar 29 '17 at 18:16
Do you have a suggestion for where I can go to learn more about how to secure this code? — DsiTx, Mar 29 '17 at 18:43
See Jay Blanchard's comment here: http://stackoverflow.com/questions/43101559/why-am-i-receiving-a-json-exception-trying-to-load-data-from-host-url#comment73284732_43101559 — Matt, Mar 29 '17 at 18:45

score 0 · Accepted Answer · answered Mar 29 '17 at 18:19

0

I think you have wrong bracket structure:

   if ($rows === true)
        echo "There are rows. <br />";
    {
        $_SESSION['login_user']=$myusername;
        header("Location: orderform.php");
    }
   else 
    { $error="Your Login Name or Password is invalid"; }

Should be:

   if ($rows === true)
    {
        echo "There are rows. <br />";
        $_SESSION['login_user']=$myusername;
        header("Location: orderform.php");
    }
   else 
    { $error="Your Login Name or Password is invalid"; }

answered Mar 29 '17 at 18:19

szako

1,271
1
9
12

That worked. Thank you for your help. Thank you to @mkaatman as well. When I removed the echo, the orderform page still didn't come up, but there are probably multiple problems with that code. I will tackle it next. – DsiTx Mar 29 '17 at 18:44
This code still won't work because your echoing before the header() call. – Matt Mar 29 '17 at 18:46

trouble with code when converting PHP code from MySql to Sqlsrv

1 Answers1