Exactly! I still can't believe how many sites out there have the SQL injection problem. -- itoctopus - http://www.itoctopus.com ""Edward Kay"" <edward@xxxxxxxxxx> wrote in message news:DMEGJFCOCHBGNBCHNDHGAENGHNAA.edward@xxxxxxxxxxxxx > > >> -----Original Message----- >> From: Joshua [mailto:josh@xxxxxxxxxxxx] >> Sent: 18 May 2007 12:09 >> To: Edward Kay >> Subject: RE: stay logged in for session >> >> >> On Fri, 2007-05-18 at 11:53 +0100, Edward Kay wrote: >> > >> > > -----Original Message----- >> > > From: Joshua [mailto:josh@xxxxxxxxxxxx] >> > > Sent: 18 May 2007 11:43 >> > > To: PHP.net >> > > Subject: stay logged in for session >> > > >> > > >> > > hey guys, i am trying to set up a session so that when a user logs >> > > in, >> > > they will stay logged in until they close their browser. i have the >> > > session set up, however i keep getting an error saying: >> > > >> > > The page isn't redirecting properly >> > > >> > > Firefox has detected that the server is redirecting the >> request for this >> > > address in a way that will never complete. >> > > >> > > ---------------------------------------------------------------------- >> > > this is my code, any help plz. >> > > ---------------------------------------------------------------------- >> > > checklogin.php: >> > > >> > > <?php >> > > session_start(); >> > > //set session variables >> > > $_SESSION['txtSurname'] = $_REQUEST['txtSurname']; >> > > $_SESSION['txtPassword'] = $_REQUEST['txtPassword']; >> > > session_write_close(); >> > > >> > > include('includes/dbconnect.php'); >> > > >> > > $nextpage = $_REQUEST['np']; >> > > $profile = $_REQUEST['ob']; >> > > >> > > //Matching usernames and passwords >> > > $uname = $_REQUEST['txtSurname']; >> > > $pword = $_REQUEST['txtPassword']; >> > > $user = "SELECT * FROM oldboys WHERE OBSURNAME='" . $uname . "' AND >> > > PWORD='" . $pword . "'"; >> > > $ResSql = mysql_query($user) ; >> > > //If any errors then print `em out---------------------------- >> > > if (!$ResSql) { >> > > echo("<p>Error performing query: " . mysql_error() . "</p>"); >> > > exit(); >> > > } >> > > //if user does not exist >> > > if (mysql_num_rows($ResSql)==0) { >> > > echo 'Incorrect username or password have been specified.<br>'; >> > > echo '<a href="updlogin.php">Click here to Log In</a>'; >> > > exit; >> > > } >> > > else { >> > > header("Location:" . $nextpage . "?ob=" . $_REQUEST['ob'] . >> > > "&uname=" . $_REQUEST['txtSurname'] . "&pword=" . >> > > $_REQUEST['txtPassword']); >> > > } >> > > ?> >> > > >> > > verify.php: >> > > >> > > <?php >> > > session_start(); >> > > if(!isset($_SESSION['txtSurname']) && >> !isset($_SESSION['txtPassword'])) >> > > { >> > > header("location:updlogin.php?np=" . $_REQUEST['np'] . "&ob=" . >> > > $_REQUEST['ob']); >> > > } >> > > else { >> > > header("location:" . $nextpage . "?np=" . $_REQUEST['np'] . "&ob=" >> > > . >> > > $_REQUEST['ob']); >> > > } >> > > ?> >> > > >> ----------------------------------------------------------------------- >> > >> > HTTP Location headers require the full hostname, i.e. >> > >> > header("Location: http://www.example.com/page_to/redirect/to.php";); >> > >> > As others on this list will say however, you don't have to use a full >> > redirect. Just use different PHP includes. >> > >> > E >> > >> thx so much, it works now. >> > > Excellent. Please include the list on replies so that it all gets archived > and others can see your responses. > > By the way, I suggest you have a read up on PHP security, especially SQL > injection attacks. Looking at the code above, what would happen if the > username I supplied was the following: > > foo'; DELETE FROM oldboys; # > > E -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
