|  | Posted by J.O. Aho on 07/10/07 05:15 
cover wrote:> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net>
 > wrote:
 >
 >
 >> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
 >> $res=mysql_query($query);
 >> if(!mysql_num_rows($res)) {
 >> 	echo "sorry, the wrong password";
 >> 	exit;
 >> }
 >>
 >> 	echo "Wow, you know the password";
 >
 > not sure if that's quite what I was looking for but I very much
 > appreciate your reply.
 
 I think that is what you wanted, a check of the password against what is in
 the database, the mysql_num_rows returns how many lines there is with the
 password, if it returns 0, then you know the passowrd was either misspelled or
 the person didn't know the password.
 You execute the db-update after the password check.
 
 
 > What if we want to allow any one of five people to update ANY record
 > in the db provided they have a password as verified by 'password_tbl'.
 > The entries won't have any password associate but when someone does an
 > update, we want to know who did it and write it to the database in the
 > 'updater' field accordingly - thanks...
 
 You will need a log table (or a log file), you can store the query and the
 password to the table/file, that way you can check what each person has done.
 If you want you could of course store a "user name" in the password table and
 use that name in the log file/table.
 You may want to make a check of the query before you run it, so that they
 aren't affecting the password_tbl or the log_tbl.
 
 IMHO the following flow is a good one:
 
 1. Check login
 a. FALSE - redirect the user to another page with header()
 b. TRUE - let user execute the rest of the page
 2. Check query to be executed
 a. BAD - don't execute, redirect user to another page with header()
 b. OK - let the execution continue
 3. Store query + password/username to the log table/file
 4. Execute the query
 
 The page you redirect to can be static (html), which just informs the user
 that they done something they shouldn't. I think this is a lot better than
 having big if-cases in the main script which can easily make you do
 modifications in the wrong place, specially if you have a bad "syntax" use.
 
 
 --
 
 //Aho
 [Back to original message] |