On Feb 28, 2008, at 12:39 PM, Eric Butera wrote:
On Thu, Feb 28, 2008 at 11:57 AM, Jason Pruim <japruim@xxxxxxxxxx>
wrote:
On Feb 28, 2008, at 11:28 AM, Eric Butera wrote:
On Wed, Feb 27, 2008 at 5:12 PM, Daniel Brown <parasane@xxxxxxxxx>
wrote:
On Wed, Feb 27, 2008 at 4:55 PM, Jason Pruim <japruim@xxxxxxxxxx>
wrote:
So I was supposed to go home a half hour ago but that didn't
happen...
I hate deadlines! :P
You whine like a mule.
[snip!]
function authentication($user, $pass, $authenticated,
$table){
// Keep in mind, PASSWORD has meaning in
MySQL
// Do your string sanitizing here
// (e.g. - $user =
mysql_real_escape_string($_POST['user']);)
$salt = "salt";
$salt1 = $salt;
$salt1 .= $pass;
$password = md5("$salt1");
$loginQuery = "SELECT * FROM current WHERE
loginName='".$user."'
AND loginPassword='".$password."' LIMIT 0,1;";
$loginResult = mysql_query($loginQuery) or
die("Wrong data supplied
or database error" .mysql_error());
while($row1 =
mysql_fetch_array($loginResult)) {
$_SESSION['user'] =
$row1['loginName'];
$_SESSION['loggedin'] = "YES";
$authenticated = "true";
$table = $row1['tableName'];
}
return $table;
return $authenticated;
} \
I recognize that code, Jason! At least the base of it (and the
comments). ;-P
See in the first block how you're using $_SESSION? That's why
you're able to read it later.... because you have two return $xxx
lines in each function.
As soon as a function reaches a `return` statement, it returns
that data and exits, so the second `return` is never processed.
--
</Dan>
Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Guess all your posts stating to sanitize data just really don't have
an impact, huh? Perhaps you should stop posting code that doesn't
validate/escape as it will be copied and pasted as I've told you
before.
The code for escaping and sanitizing the input is in a different
module of the program. I actually do it right before sending it to my
authentication function. I didn't see the need to post it since it
wasn't related to the problem :)
And the comments were from Mr. Brown who gave me the code originally
that has now been adapted to use in a different program :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@xxxxxxxxxx
Your escaping should be right before you run the query, not somewhere
else. What if you change something around and take off the escaping
function? Or what if you decide to change your database connection?
Having it all in one spot makes it easier to make changes and know it
isn't going to bust.
It's actually just before I call the function... The database
connection is in a completely separate function from everything that
we have been talking about... And all that's in that file is:
$link= "false";
function dbmysqlconnect($server, $username, $password, $database) {
$link = mysql_connect($server, $username, $password, $database) or
die('Could not connect: ' . mysql_error());
mysql_select_db($database) or die('Could not select database: ' .
mysql_error());
return $link;
}
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@xxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php