Reply to Re: Passwording a PHP page

Your name:

Reply:


Posted by J.O. Aho on 07/11/07 04:32

cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net>
> wrote:
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
>
> I started over... Can't seem to get anything but the 'sorry, wrong
> password'.

Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag

<form method="post" ...> => $_POST
<form method="get" ...> => $_GET

For testing, you can put the following in your script where you receive the form

echo "$_POST: ";
var_dump($_POST);
echo "$_GET: ";
var_dump($_GET);

This way you will see the values sent to the page, really useful when debugging.


> The form writes to a database called 'actions' and a table called
> 'actions_tbl' and I'd like to continue to write to that table but only
> if, the name and password that are queried on the write are consistent
> with a name and password stored within the same database but another
> table called 'password_tbl'

// we have checked the empty values

$query="SELECT * FROM password_tbl WHERE
password_column='{$_POST['password']}' AND user_column='{$_POST['user']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}

// your old code here

I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).


> This particular form is an update form used to update existing records
> into the 'actions_tbl' table. I'd like to add two text fields to the
> update form ('text' and 'password') and write that to an additional
> field I'll be adding in actions_tbl ('updated_by') to know who did the
> update.

You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.



> I'd thought that perhaps somewhat the reverse of not allowing an empty
> field to be processed might be on track but realize that a query will
> have to be included to actually check the name and password against
> what's in password_tbl so my empty field code as follows won't work
> but here it is if it should help someone looking for that particular
> fix.
>
> if (!$source || !$type || !$area)
> {
> echo 'You have not entered all the required fields for this data
> entry.<br />'
> .'Please click the browser BACK button, complete the form
> and try again.';
> exit;
> }


PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.

if(empty($source) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}


I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.

--

//Aho

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация