Posted by Rik on 12/14/06 06:52

Dave Nash wrote:
> I have a login form setup. When a person logs in it verified the user
> name and password and logs them in if the information is correct.
> This script is called auth.php as in included in all of the pages I
> want to secure.
> My problem is how do I get info on that particular logged in user.
> example say Welcome $fullname when the only two fields ive currently
> go are u_name and p_word.
> See auth script below.
>
> And
>
> How to get info from another table?
>
> Example SELECT * FROM messages WHERE userid = $userid ORDER by
> messageid
>
> -------------------------------
> Auth.php
>
> session_start();
> if($_POST){
> $_SESSION['u_name']=$_POST["u_name"];
> $_SESSION['p_word']=$_POST["p_word"];
> }
> $result=mysql_query("select * from users
> where u_name='" . $_SESSION['u_name'] . "' and p_word='" .
> $_SESSION['p_word'] . "'");
> $num=mysql_num_rows($result);
> if($num < 1){
> echo "show login form";
> exit;
> }
> End auth.php
> -------------------------------
> Tables are as follows.
> Users table.
> userid
> u_name
> p_word
> fullname
> PRIMARY KEY (`userid`)

For the answer to your question, see Vince.
I'd rather like to know what your query would answer if I used "'' OR
`p_word`IS NOT NULL" as password with a random valid username.....

If you've posted a snippet, and you're actually escaping and validating: no
problem.
If not:
google sql injection attacks, learn mysql_real_escape_string() (which is
not that perfect BTW), and think again.

I normally use this flow for security:
- I only allow a VERY restrictive set of characters for the username
(Normally: [a-zA-Z0-9_-])
- get the username, convert to ascii, preg_replace() all illegal
characters.
- get the password belonging to that username
- compare the password to given password, do not insert the password in the
query (because you should applaud the use of weird characters in a password
of the users, but they're hard to check)
--
Rik Wasmus

[Back to original message]