> I need to get a password value from a form, store it in a database and
> then
> later be able to compare a login password to the one stored in the db.
> This works great unless the password contains the '\' char.
> magic_quotes_gpc is ON and magic_quotes_runtime is OFF.
> As a klude, I tried just removing slashes from the input password
using
> stripslashes() before storing it in the db and then testing to see if
> stripslashes(val from db)=stripslashes(val from form) in the login
test to
> see if they match. (the user shouldn't even know that slashes are
being
> striped, so I have to strip them on each input). They still don't
match
> if
> a slash is input for the original password storage, but I don't know
why.
Okay... you want the "slash" or escape character there when you insert
it into the database. But, since it's an escape character, it doesn't
actually go into the data of the database. If you put O'Kelly into your
form, magic_quotes_gpc will turn it into O\'Kelly. If you insert that
into the database, it'll use the \ as an escape character and the data
in the database will actually be just O'Kelly. With magic_quotes_runtime
OFF, that's exactly what you'll draw out of the database, too. So, if
you want to compare a form submitted value to a value drawn out of the
database, you have to use stripslashes() on the form data first.
A better option overall is to just do it in your query.
SELECT * FROM table WHERE user = '{$_POST['user']} and password =
'{$_POST['password']}'
Where your form is method=POST... If a row is returned, the username and
password matched. If no row is returned, then one or both didn't match.
---John Holmes...
PS: Just noticed the .af.mil address. Do you do any PHP programming for
the AirForce or is this on your own?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
