-1

I want the following code to return the userID from mysql tblUser of the user if the email and password matched. Currently it is not returning anything

<?php

     include 'config.inc.php';

     // Check whether username or password is set from android  
     if(isset($_POST['email']) && isset($_POST['password']))
     {
          // Innitialize Variable
          $result='';
          $email = $_POST['email'];
          $password = $_POST['password'];

          // Query database for row exist or not
          $sql = 'SELECT UserID FROM tblUser WHERE  email = :email AND password = :password';
          $stmt = $conn->prepare($sql);
          $stmt->bindParam(':email', $email, PDO::PARAM_STR);
          $stmt->bindParam(':password', $password, PDO::PARAM_STR);
          $stmt->execute();
          if($stmt->rowCount())
          {
             $result="true" . UserID;   
          }  
          elseif(!$stmt->rowCount())
          {
                $result="false";
          }

          // send result back to android
          echo $result;
    }

?>
Ravi
  • 30,829
  • 42
  • 119
  • 173
LESETJA
  • 15
  • 3
  • 1
    **Never store passwords in clear text!**. Only store password hashes! Use PHP's [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) . If you're running a PHP version lower than 5.5 (which I _really_ hope you aren't), you can use the [password_compat library](https://github.com/ircmaxell/password_compat) to get the same functionallity. – M. Eriksson Oct 01 '17 at 12:55
  • 1
    You can't just write `UserID` in your code to get the result (that's, most likely, an undefined constant). You need to read the manual about how to get the result: http://php.net/manual/en/pdostatement.fetch.php – M. Eriksson Oct 01 '17 at 12:59
  • Or your initial conditions are not met or your script errors out. You need to display the errors or check your server log to see if there are any. – jeroen Oct 01 '17 at 13:01
  • Btw, you don't need to use`elseif` in that statement. You only need `else` since there can only be two states for that expression. – M. Eriksson Oct 01 '17 at 13:05

1 Answers1

0

For most databases, PDOStatement::rowCount() does not return the number of rows affected by a SELECT statement. Instead, use PDO::query() to issue a SELECT COUNT(*) statement with the same predicates as your intended SELECT statement, then use PDOStatement::fetchColumn() to retrieve the number of rows that will be returned. Your application can then perform the correct action.

instead, you could do 

      if($data = $stmt->fetch())
      {
         $result="true".$data['UserID'];
      }  
      else
      {
            $result="false";
      }
Ravi
  • 30,829
  • 42
  • 119
  • 173