|
Posted by J.O. Aho on 07/11/07 04:32
cover wrote:
> On Tue, 10 Jul 2007 06:07:24 +0200, "J.O. Aho" <user@example.net>
> wrote:
>
>> $query="SELECT * FROM table WHERE password_column='{$_POST['password']}'";
>> $res=mysql_query($query);
>> if(!mysql_num_rows($res)) {
>> echo "sorry, the wrong password";
>> exit;
>> }
>>
>> echo "Wow, you know the password";
>
>
> I started over... Can't seem to get anything but the 'sorry, wrong
> password'.
Forms can be sent in to different ways, POST or GET, this you adjust with the
method-option in the form-tag
<form method="post" ...> => $_POST
<form method="get" ...> => $_GET
For testing, you can put the following in your script where you receive the form
echo "$_POST: ";
var_dump($_POST);
echo "$_GET: ";
var_dump($_GET);
This way you will see the values sent to the page, really useful when debugging.
> The form writes to a database called 'actions' and a table called
> 'actions_tbl' and I'd like to continue to write to that table but only
> if, the name and password that are queried on the write are consistent
> with a name and password stored within the same database but another
> table called 'password_tbl'
// we have checked the empty values
$query="SELECT * FROM password_tbl WHERE
password_column='{$_POST['password']}' AND user_column='{$_POST['user']}'";
$res=mysql_query($query);
if(!mysql_num_rows($res)) {
echo "sorry, the wrong password";
exit;
}
// your old code here
I should say it can be good to process the $_POST['password'] and
$_POST['user'] before using the values, checking that no one is trying to
inject SQL code (don't know how bad people working at your job place).
> This particular form is an update form used to update existing records
> into the 'actions_tbl' table. I'd like to add two text fields to the
> update form ('text' and 'password') and write that to an additional
> field I'll be adding in actions_tbl ('updated_by') to know who did the
> update.
You will need to use an ALTER TABLE, I suggest you create a test table first
and test on it first before you get on the live table.
When you added the columns it's just do it the same way as before.
> I'd thought that perhaps somewhat the reverse of not allowing an empty
> field to be processed might be on track but realize that a query will
> have to be included to actually check the name and password against
> what's in password_tbl so my empty field code as follows won't work
> but here it is if it should help someone looking for that particular
> fix.
>
> if (!$source || !$type || !$area)
> {
> echo 'You have not entered all the required fields for this data
> entry.<br />'
> .'Please click the browser BACK button, complete the form
> and try again.';
> exit;
> }
PHP has the empty() function which is used to check values, as values like
"false", "0" will generate a "true" in your if case.
if(empty($source) || empty($type) || empty($area)) {
echo 'You didn't enter all the needed values';
exit;
}
I hope this leads you in the right direction, time for me to get to work and
don't have much time over for ng there.
--
//Aho
[Back to original message]
|