Re: [sqlite] Porting a simple logon script to SQLite3 from MySQL

2011-10-05 Thread C Lindgren 

Quoting Stephan Beal <sgb...@googlemail.com>:


On Wed, Oct 5, 2011 at 6:56 PM, C Lindgren <list_bo...@bizotd.com> wrote:


if (isset ($_post ['submit'] )) {



Aside from this use of POST being a huge security hole, $_post is spelled
wrong: it whould be $_POST (or $_REQUEST if you want to treat GET/POST the
same).



   $sql=$db->exec("INSERT INTO
users(ID,username,password)
   VALUES
('0','".$username."','".$**password."')");



If it's not clear why that is a huge security hole, google for "sql
injection attack" and then read up on PDO::prepare() for how to avoid that
problem:

http://php.net/manual/en/pdo.prepare.php

--
- stephan beal
http://wanderinghorse.net/home/stephan/
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users



Thanks...

So, I can eliminate the $_POST block of code and replace it with  
PDO::prepare() then execute it with PDOStatement::execute() ?


I'm sure I'll have additional questions after I rewrite that code block.
Even though this is in an intranet environment it's nice to know!

Thanks again for your straight answer.

--
C Lindgren


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Porting a simple logon script to SQLite3 from MySQL

2011-10-05 Thread C Lindgren 
I'm trying to port a simple logon script that was originally for MySQL  
to SQLite3. Everything seems to work but won't post data to the  
database and won't return the else statements if no data is entered or  
"user added" when submitted.


New and trying to learn PDO with SQLite3...

Can someone give me an idea what's wrong with my code?

The code is below...

--
C Lindgren



CODE <<<<


try {
/*** connect to SQLite database ***/
$db = new PDO("sqlite:///my_path/to_my/sqlite3_db_file");
}
catch(PDOException $e)
{
echo $e->getMessage();
}

if (isset ($_post ['submit'] )) {
$username = ($_post ['username']);
$password = ($_post ['password']);
if (!empty ($username) && !empty ($password)) {
$sql=$db->exec("INSERT INTO users(ID,username,password)
VALUES 
('0','".$username."','".$password."')");
print 'User Added';
}
else {
print 'You must enter a valid Username and Password';
}
}
else {

print '
Username:  
Password:  

';
}
?>


CODE<<<<


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users