views:

306

answers:

3

I'm trying to understand MySQL Stored Procedures, I want to check if a users login credentials are valid and if so, update the users online status:

-- DROP PROCEDURE IF EXISTS checkUser;
DELIMITER //
CREATE PROCEDURE checkUser(IN in_email VARCHAR(80), IN in_password VARCHAR(50))
BEGIN
    SELECT id, name FROM users WHERE email = in_email AND password = in_password LIMIT 1;
    -- If result is 1, UPDATE users SET online = 1 WHERE id = "result_id";
END //
DELIMITER ;

How Can I make this if-statement based on the resultsets number of rows == 1 or id IS NOT NULL?

+1  A: 

Use:

UPDATE USERS
   SET online = 1
 WHERE EXISTS(SELECT NULL
                FROM USERS t
               WHERE t.email = IN_EMAIL
                 AND t.password = IN_PASSWORD
                 AND t.id = id)
   AND id = 'result_id'

Why do you have LIMIT 1 on your SELECT? Do you really expect an email and password to be in the db more than once?

OMG Ponies
Thanks for the fast answer and yes, LIMIT 1 is useless, I'll remove that one. One more thing, I want to return the name of the user (from the SELECT sub-query) to the PHP-script.How can I set a "return" variable or create a return resultset of the sub-query?
Tirithen
OMG Ponies
A: 

You could try an if statement if you have an result which returns 1 i looked at yor code, it seems nothing returns a true so you have to refactor it, as above omg wrote thats realy true why do you have an limit 1 in your select query where only one emailadress can exisst? something like this

update users set if(result==1,online=1,online=0) where email=emailadress
streetparade
+2  A: 
DELIMITER //
CREATE PROCEDURE checkUser(IN in_email VARCHAR(80), IN in_password VARCHAR(50))
BEGIN
    DECLARE tempId INT DEFAULT 0;
    DECLARE tempName VARCHAR(50) DEFAULT NULL;
    DECLARE done INT DEFAULT 0;

    DECLARE cur CURSOR FOR 
        SELECT id, name FROM users WHERE email = in_email AND password = in_password;
    DECLARE CONTINUE HANDLER FOR NOT FOUND SET done = 1;

    OPEN cur;

    REPEAT
        FETCH cur INTO tempId, tempName;
        UPDATE users SET online = 1 WHERE id = tempId;
    UNTIL done  = 1 END REPEAT;
    CLOSE cur;

    SELECT tempName;
END //
DELIMITER ;

NB: I have not tested this. It's possible that MySQL doesn't like UPDATE against a table it currently has a cursor open for.

PS: You should reconsider how you're storing passwords.


Re comment about RETURN vs. OUT vs. result set:

RETURN is used only in stored functions, not stored procedures. Stored functions are used when you want to call the routine within another SQL expression.

SELECT LCASE( checkUserFunc(?, ?) );

You can use an OUT parameter, but you have to declare a user variable first to pass as that parameter. And then you have to select that user variable to get its value anyway.

SET @outparam = null;
CALL checkUser(?, ?, @outparam);
SELECT @outparam;

When returning result sets from a stored procedure, it's easiest to use a SELECT query.

Bill Karwin
@Bill: is there any benefit to using SELECT vs RETURN or OUT parameters?
OMG Ponies
The first code in this answer works great as is, thank you for the answer. It took a while to understand but now I got it. :-)Right now I'm encrypting my passwords (not MD5 and one way) three times and two of them using different salts and using different encryption methodes so my thought was that would be enough. Such a string does to me seem real hard to bruteforce. These things allso seemed to be summary of the link you gave me. Was there something else you where thinking of?
Tirithen
No, if you're using a strong hash function and a random salt per user, that should be enough. I was worried you were storing passwords in plain text since you were just comparing the `in_password` to the database field with the `=` operator. Cheers!
Bill Karwin