If you are splicing $_POST directly into your SQL, you are DEFINITELY doing it wrong, but not in the way that you think. Start reading here: http://phpsec.org On Fri, February 2, 2007 6:10 am, Dave Carrera wrote: > Hi Stut, > > I think i have found where i am going wrong..... > > Its in the comparison login for the db result. > > So i select * from jfjfjfjf where custno=$_POST[number] > > But now i am getting messed up with if cust no not found then all i > get > is a blank page but hoping for an error > > And i dont think i am comparing the db result with the $_POST > correctly > > Struggling here a bit :-( > > Dave C > > Stut wrote: >> Dave Carrera wrote: >>> Hi All, >>> >>> Having a grey brain moment here and need some advise on the logic >>> of >>> this, should be simple, login script. >>> >>> I am checking validity of >>> >>> customer number >>> customer email >>> customer password (md5 in mysql) >>> >>> So i have my form with relevant fields >>> >>> Now i am getting problems with either sql or how i am handling , >>> and >>> showing, and errors..... >>> >>> I think what i am asking is this >>> >>> If someone just hits the login button show error "All fields must >>> be >>> entered" >>> >>> If customer number dose not excist show relevant error >>> >>> If customer number ok but email not show error >>> >>> If customer number ok but email ok but password is not show error >>> >>> If all is ok set sessions, got this ok, and proceed. >>> >>> Any help with with this is very much appreciated. >>> >>> Kind Regards >>> >>> Dave C >> >> I'm not totally clear what the question was in there. Personally I >> keep this simple... >> >> <?php >> $_POST['number'] = >> (isset($_POST['number']) ? trim($_POST['number']) : ''); >> $_POST['email'] = >> (isset($_POST['email']) ? trim($_POST['email']) : ''); >> >> if (empty($_POST['number']) or >> empty($_POST['email']) or >> empty($_POST['password'])) >> { >> die('All fields must be entered'); >> } >> >> // Find the customer/user/whatever you need from the given details >> >> if (<<not found>>) >> { >> die('Unable to locate customer/user/whatever'); >> } >> >> // Set up the session here, or however you're tracking the >> // current customer/user/whatever >> >> header('Location: /somewhere_else'); >> ?> >> >> Hope that helps. >> >> -Stut >> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
