> I need to get a password value from a form, store it in a database and > then > later be able to compare a login password to the one stored in the db. > This works great unless the password contains the '\' char. > magic_quotes_gpc is ON and magic_quotes_runtime is OFF. > As a klude, I tried just removing slashes from the input password using > stripslashes() before storing it in the db and then testing to see if > stripslashes(val from db)=stripslashes(val from form) in the login test to > see if they match. (the user shouldn't even know that slashes are being > striped, so I have to strip them on each input). They still don't match > if > a slash is input for the original password storage, but I don't know why.
Okay... you want the "slash" or escape character there when you insert it into the database. But, since it's an escape character, it doesn't actually go into the data of the database. If you put O'Kelly into your form, magic_quotes_gpc will turn it into O\'Kelly. If you insert that into the database, it'll use the \ as an escape character and the data in the database will actually be just O'Kelly. With magic_quotes_runtime OFF, that's exactly what you'll draw out of the database, too. So, if you want to compare a form submitted value to a value drawn out of the database, you have to use stripslashes() on the form data first. A better option overall is to just do it in your query. SELECT * FROM table WHERE user = '{$_POST['user']} and password = '{$_POST['password']}' Where your form is method=POST... If a row is returned, the username and password matched. If no row is returned, then one or both didn't match. ---John Holmes... PS: Just noticed the .af.mil address. Do you do any PHP programming for the AirForce or is this on your own? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php