|
Posted by salvadorvp on 02/20/07 18:05
Hi, thanks Erwin.
That's correct I fixed that and I also corrected the way I was reading
the error message for the $result object. But now I have a different
error. I'm trying to use a prepared query with SQL Server Express and
is not working. I'm getting this output(in error):
username: lll
An error occurred while trying to execute the following query:
select UserKey from [User] where UserName = ?
Error message: MDB2 Error: syntax error
A more detailed error description: _doQuery: [Error message: Could not
execute statement] [Last executed query: select UserKey from [User]
where UserName = ?] [Native code: 102] [Native message: Incorrect
syntax near '?'.]
>From this piece of code:
// Check username and password
$result = false;
if ( isset($_POST['username']) && isset($_POST['password']) ) {
$username = $_POST['username'];
// $password = $_POST['password'];
echo "username: $username<br>\n";
//echo "password: $password<br>\n";
$result =& $dbh->query($WEBAPP_LOGIN_SQL, $username);
if (PEAR::isError($result)) {
echo "An error occurred while trying to execute the following
query:<br>\n";
echo "$WEBAPP_LOGIN_SQL<br>\n";
echo "Error message: " . $result->getMessage() . "<br>\n";
echo "A more detailed error description: " . $result-
>getDebugInfo() . "<br>\n";
exit();
}
}
And the query in the global variable $WEBAPP_LOGIN_SQL is:
$WEBAPP_LOGIN_SQL = "select UserKey from [User] where UserName = ?";
So I'm thinking in appending strings to form my query (in the usual
unsafe way) and think of some regular expressions to filter out
keywords for any possible inyection attack (i.e. delete|insert|update|
etc...).
Navigation:
[Reply to this message]
|