On Thu, Feb 28, 2008 at 11:57 AM, Jason Pruim <japruim@xxxxxxxxxx> wrote:
>
>
> On Feb 28, 2008, at 11:28 AM, Eric Butera wrote:
>
> > On Wed, Feb 27, 2008 at 5:12 PM, Daniel Brown <parasane@xxxxxxxxx>
> > wrote:
> >> On Wed, Feb 27, 2008 at 4:55 PM, Jason Pruim <japruim@xxxxxxxxxx>
> >> wrote:
> >>> So I was supposed to go home a half hour ago but that didn't
> >>> happen...
> >>> I hate deadlines! :P
> >>
> >> You whine like a mule.
> >>
> >> [snip!]
> >>
> >>> function authentication($user, $pass, $authenticated,
> >>> $table){
> >>>
> >>> // Keep in mind, PASSWORD has meaning in
> >>> MySQL
> >>> // Do your string sanitizing here
> >>> // (e.g. - $user =
> >>> mysql_real_escape_string($_POST['user']);)
> >>> $salt = "salt";
> >>> $salt1 = $salt;
> >>> $salt1 .= $pass;
> >>>
> >>> $password = md5("$salt1");
> >>> $loginQuery = "SELECT * FROM current WHERE
> >>> loginName='".$user."'
> >>> AND loginPassword='".$password."' LIMIT 0,1;";
> >>> $loginResult = mysql_query($loginQuery) or
> >>> die("Wrong data supplied
> >>> or database error" .mysql_error());
> >>> while($row1 =
> >>> mysql_fetch_array($loginResult)) {
> >>> $_SESSION['user'] =
> >>> $row1['loginName'];
> >>> $_SESSION['loggedin'] = "YES";
> >>> $authenticated = "true";
> >>> $table = $row1['tableName'];
> >>>
> >>> }
> >>> return $table;
> >>> return $authenticated;
> >>> } \
> >>
> >> I recognize that code, Jason! At least the base of it (and the
> >> comments). ;-P
> >>
> >> See in the first block how you're using $_SESSION? That's why
> >> you're able to read it later.... because you have two return $xxx
> >> lines in each function.
> >>
> >> As soon as a function reaches a `return` statement, it returns
> >> that data and exits, so the second `return` is never processed.
> >>
> >> --
> >> </Dan>
> >>
> >> Daniel P. Brown
> >> Senior Unix Geek
> >> <? while(1) { $me = $mind--; sleep(86400); } ?>
> >>
> >>
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >
> > Guess all your posts stating to sanitize data just really don't have
> > an impact, huh? Perhaps you should stop posting code that doesn't
> > validate/escape as it will be copied and pasted as I've told you
> > before.
>
> The code for escaping and sanitizing the input is in a different
> module of the program. I actually do it right before sending it to my
> authentication function. I didn't see the need to post it since it
> wasn't related to the problem :)
>
> And the comments were from Mr. Brown who gave me the code originally
> that has now been adapted to use in a different program :)
>
>
> >
>
>
>
> --
>
> Jason Pruim
> Raoset Inc.
> Technology Manager
> MQC Specialist
> 3251 132nd ave
> Holland, MI, 49424-9337
> www.raoset.com
> japruim@xxxxxxxxxx
>
>
>
>
Your escaping should be right before you run the query, not somewhere
else. What if you change something around and take off the escaping
function? Or what if you decide to change your database connection?
Having it all in one spot makes it easier to make changes and know it
isn't going to bust.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
