I have a database already full of clients. We are trying to let them setup online access. They must provide their member ID to set up their online account. I have built a test form that allows input to memberid and should check to see if we find them in the database. I have pulled my hair out trying to get this to work. I have also made CRUD so I know my connection to MSSQL is working.
What is wrong with this code?
FORM
<div class="container">
<div>Member ID: <input type="text" maxlength="10" name="uname" id="uname" /><span id="status"></span></div>
<div>Pass: <input type="password" maxlength="10" name="pwd" id="pwd" /></div>
</div>
<script type="text/javascript">
document.getElementById("uname").onblur = function() {
var xmlhttp;
var uname=document.getElementById("uname");
if (uname.value != "")
{
if (window.XMLHttpRequest){
xmlhttp=new XMLHttpRequest();
} else {
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function() {
if (xmlhttp.readyState==4 && xmlhttp.status==200) {
document.getElementById("status").innerHTML=xmlhttp.responseText;
}
};
xmlhttp.open("GET","uname_availability.php?uname="+encodeURIComponent(uname.value),true);
xmlhttp.send();
}
};
</script>
And Here is uname_availability.php
<?php
$uname=$_REQUEST['uname'];
$server = "serveraddress";
$user = "username";
$pwd = "password";
$db = "dbname";
$conn = sqlsrv_connect($server, array("UID"=>$user, "PWD"=>$pwd, "Database"=>$db));
if($conn === false){
die(print_r(sqlsrv_errors()));
}
$sql = "SELECT * FROM tblMembership WHERE MemberID = ".$uname."";
$stmt3 = sqlsrv_query($conn, $sql);
$row_count = sqlsrv_num_rows($stmt3);
if ($row_count === false)
{
print "<span style=\"color:red;\">We Can Not Find You :(</span>";
}
else
{
print "<span style=\"color:green;\">We Found You :) </span>";
}
?>
I ended up getting it with this...thanks for all the input...I really appreciate it all!
$sql = "SELECT MemberID FROM tblMembership WHERE MemberID = '".$memid."'";
$stmt = sqlsrv_query($conn, $sql);
$row = sqlsrv_fetch($stmt);
if (empty($row))
{
print "<span style=\"color:red;\">We Can Not Find You >:-(</span>";
}
else
{
print "<span style=\"color:green;\">We Found You :-) </span>";
}
Your query is failing, because you've failed to quote your $username parameter, leading to both incorrect and invalid SQL, and an SQL injection attack vulnerability:
$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";
^-- ^--
without the quotes, you're doing WHERE MemberID = fred, and I highly doubt you've got a fred field in your membership table.
Since your code blindly assumes the query is working correct, you will never ever see the syntax error warnings that SQL server WILL HAVE been providing.
Don't you need to quote the value of your parameter in your SQL statement ?
$sql = "SELECT * FROM tblMembership WHERE MemberID = ".$uname."";
would then become
$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";
Why don't you explicitly use $_GET,
if(isset($_GET['uname']))
{
$uname=$_GET['uname'];
}
And then query like,
$sql = "SELECT * FROM tblMembership WHERE MemberID ='$uname'";