Re: [sqlite] Porting a simple logon script to SQLite3 from MySQL

2011-10-05 Thread David Garfield 
C Lindgren writes:
>   $sql=$db->exec("INSERT INTO users(ID,username,password)
>   VALUES 
> ('0','".$username."','".$password."')");

In MYSQL, null and 0 are magic for a INTEGER PRIMARY KEY
AUTO_INCREMENT column.

In SQLite, only null is magic for a INTEGER PRIMARY KEY column.

Use NULL instead of '0' in both platforms.

--David Garfield

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Porting a simple logon script to SQLite3 from MySQL

2011-10-05 Thread C Lindgren 

Quoting Stephan Beal :


On Wed, Oct 5, 2011 at 6:56 PM, C Lindgren  wrote:


if (isset ($_post ['submit'] )) {



Aside from this use of POST being a huge security hole, $_post is spelled
wrong: it whould be $_POST (or $_REQUEST if you want to treat GET/POST the
same).



   $sql=$db->exec("INSERT INTO
users(ID,username,password)
   VALUES
('0','".$username."','".$**password."')");



If it's not clear why that is a huge security hole, google for "sql
injection attack" and then read up on PDO::prepare() for how to avoid that
problem:

http://php.net/manual/en/pdo.prepare.php

--
- stephan beal
http://wanderinghorse.net/home/stephan/
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users



Thanks...

So, I can eliminate the $_POST block of code and replace it with  
PDO::prepare() then execute it with PDOStatement::execute() ?


I'm sure I'll have additional questions after I rewrite that code block.
Even though this is in an intranet environment it's nice to know!

Thanks again for your straight answer.

--
C Lindgren


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Porting a simple logon script to SQLite3 from MySQL

2011-10-05 Thread Simon Slavin 

On 5 Oct 2011, at 5:56pm, C Lindgren wrote:

> I'm trying to port a simple logon script that was originally for MySQL to 
> SQLite3. 

MySQL uses connections to a server with a password.  SQLite accesses a file on 
a hard disk.  Make sure your web app (probably apache or httpd) has enough 
access to the database file to be able to open it with readwrite permissions.  
Do this by temporarily lowering the permissions all the way.

Simon.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Porting a simple logon script to SQLite3 from MySQL

2011-10-05 Thread Stephan Beal 
On Wed, Oct 5, 2011 at 6:56 PM, C Lindgren  wrote:

> if (isset ($_post ['submit'] )) {


Aside from this use of POST being a huge security hole, $_post is spelled
wrong: it whould be $_POST (or $_REQUEST if you want to treat GET/POST the
same).


>$sql=$db->exec("INSERT INTO
> users(ID,username,password)
>VALUES
> ('0','".$username."','".$**password."')");
>

If it's not clear why that is a huge security hole, google for "sql
injection attack" and then read up on PDO::prepare() for how to avoid that
problem:

http://php.net/manual/en/pdo.prepare.php

-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users