" if ($result)
{
echo "Valid user";
} else {
echo "Error?";
}
?>
</body>
</html>
-- End here --
Now if what you're saying is correct, the final "if result()" block
should only print "valid user" if the user exists in the database,
right?"
yup and believe it or not if($result) only returns true if a valid
username/password row can be found otherwise it returns a non existing
resource
"For me it'll print "valid user" no matter what I do because the query is
always valid and that is all it's checking."
hmmm interesting... in your example of usernames here, when i type andy for
username and mysql for password it says "valid user". now say i type andy
for a username and junk for a password it will now say "error?" because in
mysql's mind set there isnt any row anywhere that exists with andy for a
username and junk for a password. now take it the other way around: i type
useless for a username and mysql for a password and then it still says:
"error?"...
it seems that no matter what i do (unless you directly spoof the mysql
server) it cannt be fooled at all... at this point it is acting like it is
indistructable (i know what a wild dream) but have to have one for a min ...
in any case i cant find any "loop holes in it anywhere"... the only thing i
see i can do to reduce risk of hacks or possible outside interference is to
turn $result in your example into a session var $_SESSION['result']. since
$result can be changed from the query string from a link (wait testing...)
well doesnt exactly work but crashes it instead being a global like that...
"If I enter a valid username and password combo the result is reflected
in mysql_num_rows, as shown in the code."
yup...it does on mine too... just like you say
"Unless I have missed something significant from your original code/query
I'm at a complete loss as to how the above can give you any kind of
different result?"
thats a good question i cant even answer...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
