On Friday 27 October 2006 19:34, Richard Lynch wrote: > Your idea to use 'COUNT(Username)' is just about the ONLY part of that > script that you are doing correctly... > > :-) > > Start reading here: > http://phpsec.org/ > > And the header("Location: ...") requires a full URL. No it doesn't. but he's missing an ' at first glance > > And you should have better error-checking, probably. > [Though maybe you have a custom error handler not apparent] > > And your DB password should probably be a hash/crypted value. > > And it looks like maybe you are using register_globals "on" which is bad. > > Once again, start reading: > http://phpsec.org/ > > On Thu, October 26, 2006 1:16 pm, afan@xxxxxxxx wrote: > > Would it be ok to use the same code to check if customer is loged in? > > > > $query = mysql_query(" > > SELECT COUNT(Username) as NoOfRecords > > FROM customers > > WHERE Username = '$Username' AND Password = > > '$Password'"); > > if (mysql_result($query, 0) == 0) > > { > > echo 'Please try again'; > > } > > else > > { > > header('location: index.php); > > exit; > > } > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some starving artist. > http://cdbaby.com/browse/from/lynch > Yeah, I get a buck. So? -- --- Børge Kennel Arivene http://www.arivene.net --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
