Re: Trouble with PHP server script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert Cox wrote:

Is it possible to use the "$_SERVER['PHP_AUTH_USER'];" construct in a URL
forwarded site?  I am trying to find the authorised user id so that I can
access an SQL database with it.  Anyone got some ideas?
PHP looks like this.... <?php 
 //Get User
  $user = $_SERVER['PHP_AUTH_USER'];
// Get User type 
  $db = mysql_connect(localhost, ....., .....) or die("Can't connect to
database: ".mysql_error());
        mysql_select_db(................) or die("Can't select database:
".mysql_error());
You should always run mysql_real_escape_string() on any variables that you use in an SQL statement. 


  $query = "SELECT * FROM user WHERE staffid LIKE $user";
You need to make sure that you surround your string with quotes. This is only if the $user is a string, if it is an int/number, the forget the quotes. 

$query = "SELECT * FROM user WHERE staffid LIKE '$user'";

The following should always reference your above DB resource $db

Plus, this isn't how you should be checking for a valid user.
The following would only hit the die() statement if there was an error with the SQL statement. Not if it didn't return any results. 

mysql_query($query, $db) or die('Not a valid user: '.mysql


  $result = mysql_query($query) or die ('Not a valid User: ' .
mysql_error());
....
?>
Note: You need to make sure that magic_quotes_gpc is not enabled. That will mess with doing things this way.
Note: I am assuming that you will only match one and only one. If that is the case you need to switch the like to an = instead. 

	staffid = '{$user}'
don't worry about the curly braces, they are for PHP to identify the variable. They wont show up in your actual SQL statement. 


All that being said, try this instead.

<?php

// Get User type
$db = mysql_connect(localhost, ....., .....) or
	die("Can't connect to database: ".mysql_error());
mysql_select_db(................) or
	die("Can't select database: ".mysql_error());

//Get User
$user = mysql_real_escape_string(@$_SERVER['PHP_AUTH_USER'], $db);

$query = "SELECT * FROM user WHERE staffid = '{$user}'";

$result = mysql_query($query, $db) or
	die('Error with query: '.mysql_error());

if ( mysql_num_rows($result) == 0 ) {
	// No results found, assume user does not exist
} else {
	// User exists, do something about it.
}

....

?>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux