On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote:
On Aug 23, 2010, at 9:31 PM, Chris wrote:
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";
I normally do it in the query in case you use the variable
somewhere else but here it's ok because you don't use $username
elsewhere. Be careful though, it may bite you and it will be
difficult to track down.
eg
$q = "select password from table where username='" .
mysql_real_escape_string($username) . "'";
echo "You entered " . htmlspecialchars($username) . ", either it
was wrong or the password was wrong. Try again.";
Doing the escape_string before the query means you end up with
(basically)
htmlspecialchars(mysql_real_escape_string($username));
which will cause weird characters to show up in certain cases.
$result = $this->query($q);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']);
$password = mysql_real_escape_string(md5($password));
$password = htmlspecialchars($password);
You're not displaying the password so don't htmlspecialchars it.
Just:
if ($dbarray['password'] == md5($password)) {
return 0; // success!
}
Only specialchars it when you display it (like the echo above).
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Ahhh. I see.
But I do still put the escape on what they entered so it will match
what is in the database.
Ok. Thank you Thank you Thank you.
Best,
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."'";
$result = $this->query($q);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray
['password']); //Or is this where I need to leave htmlspecialchars
off too?
/* Validate that password is correct */
if(md5($password) == $dbarray['password']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}
Karl DeSaulniers
Design Drumm
http://designdrumm.com
