Posted by J.O. Aho on 07/10/07 15:51

cover wrote:
> On Tue, 10 Jul 2007 07:34:35 +0200, "J.O. Aho" <user@example.net>
> wrote:
>
>> Yes, in the case you want that the user will be using both a login name and
>> password, if you only want a password, you have to see that the password is
>> unique, otherwise the users can be mixed up (while using login+pass the
>> likelihood is a lot less that you have two persons with the same login and
>> password, of course you should see to have only one user for each
>> username/login you use).
>
> Would something like this work where there might be two tables, one
> with the data you're trying to update and the second only holding the
> user name and password where conditions had to be met at update.

> mysql_query("UPDATE actions_tbl SET date='$ud_date',
> targmonth='$ud_targmonth', targyear='$ud_targyear',
> assignedto='$ud_assignedto', datecomp='$ud_datecomp',
> status='$ud_status', referenceno='$ud_referenceno'
> WHERE id='$ud_id' AND WHERE password_tbl
> updater_column='$updater' AND password_column='$password'") or
> die("Update Error: ".mysql_error());
>
> echo "Record Updated";
> mysql_close();

No, that won't work, do

$pass_query="SELECT * FROM table WHERE password_column='{$_POST['password']}'
AND user_column='{$_POST['username']}'";
$res=mysql_query($pass_query);
if(mysql_num_rows($res)) {
$query="UPDATE actions_tbl SET date='$ud_date',
targmonth='$ud_targmonth', targyear='$ud_targyear',
assignedto='$ud_assignedto', datecomp='$ud_datecomp',
status='$ud_status', referenceno='$ud_referenceno'
WHERE id='$ud_id'";
mysql_query($query);
$time=date('Y-m-d h:n');
shell_exec("echo \"{$time} {$_POST['username']}: {$query}\" >>
/path/to/sqlupdate.log");
}

This way you check if the user is allowed to make the update and up do the
update and then register the update to the logfile.


--

//Aho

[Back to original message]