Hello again, sorry for all those posts but I’m particularly slow this morning.
I’m not sure how this may work.
I need to fetch the data from a given query, then use that fetched data to put on session variables.
I’m with something like this right now:
$stmt = $this->_dbh->prepare("
SELECT id_utilizador, nivel_utilizador
FROM utilizador
WHERE nome_utilizador = ? AND password_utilizador = ? AND estado_utilizador = ?"
);
$stmt->bindParam(1, $utilizadorVo->getNome(), PDO::PARAM_STR, 255);
$stmt->bindParam(2, $utilizadorVo->getPassword(), PDO::PARAM_STR, 255);
$stmt->bindParam(3, $utilizadorVo->getEstado(), PDO::PARAM_INT, 1);
$stmt->execute();
But this will:
a) prepare the statement;
b) bind parameters;
c) execute;
The execute, according to the documentation, executes the prepared statement, and returns either TRUE or FALSE on success.
1)
This TRUE or FALSE on success means:
a) Return TRUE if the query is executed (even if no records were found) ?
or
b) Return TRUE if the query is executed and returns records ?
2)
What’s the point of doing a select and then do nothing with the returned results? I believe that after this, we need to fetch the data somehow no?
But on the PHP website the examples stop on that (I believe inconsequent) execute();
Well, for a login process you might want to collect all the returned rows to see if there are more than one.
Usually with login systems:
0 records -> user does not exist or password is wrong
1 record -> user is found, great!
> 1 records -> something is wrong! There are more users than there should be with the same username
Of course, with correct validation when inserting the users this should never happen
So, if you agree, we can stick without fetching an array until a reason comes by.
But once I feel the need to differentiate a “0 users” case with the “more then 1 user” case - I will surely recall it here.
The problem of multiple users should never arise, as uniqueness of the username should be checked when the user is created or an existing user is updated (and ideally it should be enforced by the database).
Maybe my example wasn’t such a good example
I suppose that SQL injection attacks could lead to more than 0 or 1 results being returned, but you already have that covered as you’re using PDO and prepared statements.
Well… I’m not sure if I will need to differentiate between having no records, or having more then 1 record for the login. Both should not allow the user to login, and of course, that third option should never arrive in the first place, I believe.
So I’m having something like this, that limits the records to 1, and is based on this query that I found useless to return an array.
SELECT id_utilizador, nivel_utilizador FROM utilizador WHERE nome_utilizador = ? AND password_utilizador = ? AND estado_utilizador = 1 LIMIT 1
Immerse, do you found a reason for us to actually know if there is more then one user or, like me, do you believe that THAT problem should be deal earlier on the process?