Posted by J.O. Aho on 07/10/07 05:15

cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net>
> wrote:
>
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
> not sure if that's quite what I was looking for but I very much
> appreciate your reply.

I think that is what you wanted, a check of the password against what is in
the database, the mysql_num_rows returns how many lines there is with the
password, if it returns 0, then you know the passowrd was either misspelled or
the person didn't know the password.
You execute the db-update after the password check.


> What if we want to allow any one of five people to update ANY record
> in the db provided they have a password as verified by 'password_tbl'.
> The entries won't have any password associate but when someone does an
> update, we want to know who did it and write it to the database in the
> 'updater' field accordingly - thanks...

You will need a log table (or a log file), you can store the query and the
password to the table/file, that way you can check what each person has done.
If you want you could of course store a "user name" in the password table and
use that name in the log file/table.
You may want to make a check of the query before you run it, so that they
aren't affecting the password_tbl or the log_tbl.

IMHO the following flow is a good one:

1. Check login
a. FALSE - redirect the user to another page with header()
b. TRUE - let user execute the rest of the page
2. Check query to be executed
a. BAD - don't execute, redirect user to another page with header()
b. OK - let the execution continue
3. Store query + password/username to the log table/file
4. Execute the query

The page you redirect to can be static (html), which just informs the user
that they done something they shouldn't. I think this is a lot better than
having big if-cases in the main script which can easily make you do
modifications in the wrong place, specially if you have a bad "syntax" use.


--

//Aho

• Next in forum: Re: Passwording a PHP page
• Prev in forum: Re: Passwording a PHP page
• Thread view: Re: Passwording a PHP page

[Reply to this message]