1

iPhone code

When I use this code it always show error password but I am entering correct credentials.

    NSString *post =[NSString stringWithFormat:@"UserName=%@&UserPas   sword=%@",userNameTextField.text, userPasswordTextFiled.text];

    NSString *hostStr = @"http://www.celeritas-solutions.com/emrapp/connect.php";
     = [hostStr stringByAppendingString:post];
    NSData *dataURL =  [NSData dataWithContentsOfURL: [ NSURL URLWithString: hostStr ]];    
    NSString *serverOutput = [[NSString alloc] initWithData:dataURL encoding: NSASCIIStringEncoding];
    if([serverOutput isEqualToString:@"Yes"]){
           UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Congrats" message:@"You are authorized "
                                                          delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
       [alertsuccess show];
           [alertsuccess release];


    } else {
            UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Error" message:@"Username or Password Incorrect"
                                                          delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
            [alertsuccess show];
            [alertsuccess release];

    }

I am getting validate username and password from data base but it gives sql syntax error that

   You have an error in your SQL syntax; check the manual that corresponds to your   MySQLserver version for the right syntax to use near 'AND UserPassword=' at line 1

  mysql_select_db("emriphone", $con);


  $u=$_GET['UserName'];
  $pw=$_GET['UserPassword'];

   $check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

  $login=mysql_query($check,$con) or die(mysql_error());

  if(mysql_num_rows($login)==1){

  $row =mysql_fetch_assoc($login);
  echo 'YES'; exit;
   }

 else{
   echo'NO';exit;
  }

 mysql_connect($con);
3
  • why you have tagged this question for iPhone ? Commented Mar 19, 2012 at 5:39
  • because i am conneting this data base with iphone app and validating password and username Commented Mar 19, 2012 at 6:23
  • so what? There is not any code related to iPhone!! Commented Mar 19, 2012 at 6:32

6 Answers 6

3

You need to place single quotes in your query -

$check ="SELECT UserName, UserPassword 
         FROM   appUsers 
         WHERE UserName='$u'           
         AND UserPassword='$pw'";      // These are probably varchar data columns 
                                       // in your db. In that case, you should 
                                       // put single quotes like this.

When you search text fields in your database, you should place single quotes around them. Otherwise MySQL will report it as an error.

Sign up to request clarification or add additional context in comments.

Comments

2

Maybe you need to add single quotes around around the username and password parameters in your where clause since I'm assuming those are strings. In MySQL you need to wrap the strings in single quotes.

Comments

2

Assuming username and password are text fields you should correct as following

$check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

To

$check ="SELECT UserName,UserPassword from appUsers WHERE UserName='$u' AND UserPassword='$pw'";

included single quote around username and password

Comments

1

Use single quotes for variables in the query ''

Hope this helps you.

17 Comments

I have done like this but every time my script sends No in echo
give if(mysql_num_rows($login)>0)
just echo and see ur query ,run it in query browser , check it
if(mysql_num_rows($check)>0) }
SELECT UserName,UserPassword from appUsers WHERE UserName='' AND UserPassword=''NO this is the output when i run this in browser without sending any input
|
1
 $check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

And because you're using mysql, be sure to sanitize the Username and password against SQL Injection by using the following:

$u = mysql_real_escape_string($_GET['UserName']);
$pw = mysql_real_escape_string($_GET['UserPassword']);

And final thought; Use POST instead of GET for a login page ;D hehe

Comments

0

Protect yourself from sql injection while you're at it

$query = sprintf("SELECT UserName,UserPassword from appUsers WHERE UserName='%s' AND UserPassword='%s'", mysql_real_escape_string($u),mysql_real_escape_string($pw));

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.