|
|
Posted by chsadaki on 07/25/06 07:32
Alvaro G. Vicario wrote:
> *** chsadaki@hotmail.com escribió/wrote (24 Jul 2006 06:45:12 -0700):
> > $user = $_POST[username];
> > $pass = $_POST[password];
>
> Unquoted strings are constants that you must define this way:
>
> define('foo', 'bar');
> echo foo; // prints bar
>
> You probably mean:
>
> $user = $_POST['username'];
> $pass = $_POST['password'];
>
> > $q = mysql_query("SELECT * FROM admin WHERE username = '$user' and
> > password =PASSWORD('$pass')");
>
> I suggest you read this article about SQL Injection:
>
> http://en.wikipedia.org/wiki/SQL_Injection
>
>
> > if(mysql_num_rows($q)==0){
> > echo "Acces denied. User not allowed to connect.";
> > mysql_close();
> > }
>
> You're retrieving all the row data when all you need is knowing whether the
> record exists. It's not good programming practice and, believe me, it's far
> easier to learn the right way from the beginning than changing your habits
> afterwards. I suggest you either get the primary key.
>
> > else
> > {
> > echo
> > "<script>window.location.replace('administrator2.php')</script>";
> > }
>
> I presume you're aware of the fact that you must also protect
> "administrator2.php" or anyway will be able to bypass the login screen.
>
> > so if any body has an idea about this problem please tell me about it.
>
> The first test you must do is printing all strings on screen:
>
> echo '<pre>';
> var_dump($_POST);
> var_dump($q);
> echo '</pre>';
>
> If SQL query looks OK, paste it in your favourite MySQL front end check if
> it returns the expected result.
>
> Also, check whether mysql_query() returned a result resouce or FALSE, don't
> use the value blindly.
>
>
> --
> -+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
> ++ Mi sitio sobre programación web: http://bits.demogracia.com
> +- Mi web de humor con rayos UVA: http://www.demogracia.com
> --
Actually my problem is not in quoted strings, cos if I execute this
statement I get a row:
$q = mysql_query("SELECT username FROM admin WHERE username = '$user'
");
well the real problem is that after inserting for example this record
by using the function
Password()
mysql_query("insert into admin values('$user',password('$pass'))");
I cant retrieve this record by using this statement:
$q = mysql_query("SELECT username FROM admin WHERE username = '$user'
and password= password('$pass')");
cos the password now is encrypted in the table admin, for example '123'
is in the table '773359240e'
so how can I get the record ??? Cos I tried to print the result of
mysql_query but it was empty.
Shameram Sadaki
Navigation:
[Reply to this message]
|