|
|
Posted by Jim Michaels on 01/11/06 22:50
simplified (below). but if they ever decide to put special characters in
the password (unlikely), mysql_escape_string() might come in handy.
"Hilarion" <hilarion@SPAM.op.SMIECI.pl> wrote in message
news:doudns$9i2$1@news.onet.pl...
> Damien <gerard@nsecure.nl> wrote:
>> English:
>>
>> I want to know whats wrong with the script. I am gettich the error:
>>
>> Parse error: syntax error, unexpected '=' in
>> c:\inetpub\wwwroot\login.php on line 17
>>
>> I think the error is in:
>> $usernameexists = mssql_query("SELECT ID FROM tblusers WHERE
>> username"=.$_POST["username"]."' &&
>> password='".$_POST["password"]."'");
>
>>
>> But how to solve it?
>
> You placed "=" after the "username" outside the query string, which is
> the PHP syntax error. Your query is also incorrect, because it has no
> opening quote around username value and it uses "&&" which is not
> valid (as far as I know, but MySQL - which I do not use - may accept
> it) and should be replaced with "AND".
> So change this:
>
> $usernameexists = mssql_query("SELECT ID FROM tblusers WHERE
> username=.$_POST["username"]."' &&
> password"='".$_POST["password"]."'");
> to this:
$usernameexists = mssql_query(
"SELECT id " .
"FROM tblusers " .
"WHERE username = '$_POST[username]' " .
" AND password = '$_POST[password]' "
);
> There's also one more thing. You should read about SQL injection
> attacks and "mysql_real_escape_string" function. Your script may
> be (and probably is) vulnerable to those attacks and proper
> use of this function would prevent it.
>
>
>
> Hilarion
Navigation:
[Reply to this message]
|