ansaurus

Question

Using SELECT resultset to run UPDATE query with MySQL Stored Procedures

Answer 1

+1 A:

Use:

UPDATE USERS
   SET online = 1
 WHERE EXISTS(SELECT NULL
                FROM USERS t
               WHERE t.email = IN_EMAIL
                 AND t.password = IN_PASSWORD
                 AND t.id = id)
   AND id = 'result_id'

Why do you have LIMIT 1 on your SELECT? Do you really expect an email and password to be in the db more than once?

OMG Ponies 2009-12-14 20:21:17

Thanks for the fast answer and yes, LIMIT 1 is useless, I'll remove that one. One more thing, I want to return the name of the user (from the SELECT sub-query) to the PHP-script.How can I set a "return" variable or create a return resultset of the sub-query?

Tirithen 2009-12-14 20:26:19

OMG Ponies 2009-12-14 20:36:28

Answer 2

A:

You could try an if statement if you have an result which returns 1 i looked at yor code, it seems nothing returns a true so you have to refactor it, as above omg wrote thats realy true why do you have an limit 1 in your select query where only one emailadress can exisst? something like this

update users set if(result==1,online=1,online=0) where email=emailadress

streetparade 2009-12-14 20:26:44

Answer 3

+2 A:

DELIMITER //
CREATE PROCEDURE checkUser(IN in_email VARCHAR(80), IN in_password VARCHAR(50))
BEGIN
    DECLARE tempId INT DEFAULT 0;
    DECLARE tempName VARCHAR(50) DEFAULT NULL;
    DECLARE done INT DEFAULT 0;

    DECLARE cur CURSOR FOR 
        SELECT id, name FROM users WHERE email = in_email AND password = in_password;
    DECLARE CONTINUE HANDLER FOR NOT FOUND SET done = 1;

    OPEN cur;

    REPEAT
        FETCH cur INTO tempId, tempName;
        UPDATE users SET online = 1 WHERE id = tempId;
    UNTIL done  = 1 END REPEAT;
    CLOSE cur;

    SELECT tempName;
END //
DELIMITER ;

NB: I have not tested this. It's possible that MySQL doesn't like UPDATE against a table it currently has a cursor open for.

PS: You should reconsider how you're storing passwords.

Re comment about RETURN vs. OUT vs. result set:

RETURN is used only in stored functions, not stored procedures. Stored functions are used when you want to call the routine within another SQL expression.

SELECT LCASE( checkUserFunc(?, ?) );

You can use an OUT parameter, but you have to declare a user variable first to pass as that parameter. And then you have to select that user variable to get its value anyway.

SET @outparam = null;
CALL checkUser(?, ?, @outparam);
SELECT @outparam;

When returning result sets from a stored procedure, it's easiest to use a SELECT query.

Bill Karwin 2009-12-14 20:39:02

@Bill: is there any benefit to using SELECT vs RETURN or OUT parameters?

OMG Ponies 2009-12-14 20:46:25

The first code in this answer works great as is, thank you for the answer. It took a while to understand but now I got it. :-)Right now I'm encrypting my passwords (not MD5 and one way) three times and two of them using different salts and using different encryption methodes so my thought was that would be enough. Such a string does to me seem real hard to bruteforce. These things allso seemed to be summary of the link you gave me. Was there something else you where thinking of?

Tirithen 2009-12-14 23:12:37

No, if you're using a strong hash function and a random salt per user, that should be enough. I was worried you were storing passwords in plain text since you were just comparing the `in_password` to the database field with the `=` operator. Cheers!

Bill Karwin 2009-12-15 01:03:19

ansaurus

tags:

views:

answers:

Using SELECT resultset to run UPDATE query with MySQL Stored Procedures

related questions