Posted by Gufo Rosso on 02/11/06 06:35

"joeblow" <momo_roadracer@yahoo.com> ha scritto nel messaggio
news:11ubktffhs67o5e@corp.supernews.com...
> Am in the initial stages of development and am receiving the oddest error.
> The field/column names in this particular table (users) are: fname, lname,
> password, level, paid, (and userid).
>
> When I run the following SQL statement from the command line it works
fine:
>
> SELECT level FROM users WHERE fname = [firstname] AND lname = [lastname]
AND
> password = [password] AND paid = 1;
>

this example is bad code (SQL INJECTION)

user == other user
password == password

use this
table
id (int autoincrement)
user (unique)
password = md5(pasword.token)
.......

and this query

select password from tabel where user=$_post['user']

if(md5($_POST['password'].token)===$row['password']){
echo " login ok"
}else{
echo "ko";
}



> Yet, when the exact same statement is within a PHP function receiving the
> values as arguments such as:
>
> function userLevel ($f_name, $l_name, $pw, &$userlevel) {
> [connect to database, etc.]
> $sql='SELECT level FROM users WHERE fname = ' . $f_name . ' AND lname =
'
> . $l_name . ' AND password = ' . $pw . ' AND paid = 1';
>
> ending with:
> $userlevel=intval($sql);
> return true;
> }
>
> ...I get error #1054: Unknown column 'Joe' in 'where clause'... where
"Joe"
> represents the value in $f_name.
>
> I've restructured the statement several times but with no success. Is this
a
> bug in MySQL ?
>
>

• Next in forum: Importing text file - maximum filesize
• Prev in forum: Re: @mysql_query - whats the difference between this and mysql_query?
• Thread view: Re: is this a bug?

[Reply to this message]