Re: Begining PHP...Have Questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You should generally $_POST for all posted variables, $_GET for all
"get" variables (in the query string / url), and the other
superglobals for other such things. If you don't care if it's POST,
GET, or a cookie, you can use $_REQUEST.

register_globals is a setting in your php.ini. It's best practice to
set this to "off". What this means for you is that variables sent by
the user are not registered as global variables. i.e. $username will
no longer work, you have to use $_POST['username']. Search the php
lists for lots more discussion on this matter.

For more on superglobals:
http://www.php.net/manual/en/language.variables.predefined.php
For the list archives, click the "Archive" links here:
http://www.php.net/mailing-lists.php

On Mon, 19 Jul 2004 13:27:15 -0400, Aaron Todd <aaloki88@xxxxxxxxxxx> wrote:
> Jon,
> 
> Thanks for the info.  I did change the LIKE to =.  This was done just for my
> debugging.  I do have it set to = on a normal basis.
> 
> I am a little unsure what you mean at the end of your reply about register
> globals.  Are you saying that everywhere I use $username to refer to the
> users inputed username I should use $_POST['username'] instead?  Or are you
> suggesting to use this in one location.
> 
> Thanks again for the reply,
> 
> Aaron
> 
> "Jonathan Haddad" <jon@xxxxxxxxxxxxxxxxx> wrote in message
> news:40FC00A8.1080402@xxxxxxxxxxxxxxxxxxxx
> 
> 
> > if you have shell access, please do the following
> >
> > describe users;
> > select * from users;
> >
> > also, why are you using LIKE instead of =?
> > use this instead:
> >
> > $query = "SELECT * FROM users WHERE email = '".$username."'";
> >
> > i would also suggest turning off register globals and using
> > $_POST['username'] and not $username. (i'm assuming it's on given your
> code)
> >
> > Jon
> >
> > Aaron Todd wrote:
> >
> > >I am just starting out with PHP and I have created a simple login program
> > >that is supposed to check users input with a mysql database.  I am doing
> 5
> > >verifications before the program is completed...Check for the Submit
> button,
> > >check for a valid email address(which is the username), check for a valid
> > >password, check to see if the username exists in the database, and
> finally
> > >check to see if the password matches the database for the coresponding
> > >username.  Currently you dont get access to a site you only get told what
> > >your password is in the database.
> > >
> > >Everything is technically working, but its not perfect and I think I need
> > >some help.  I have entered 2 records in the database for testing
> purposes.
> > >When I put in username1 and password1 it works.  The program returns the
> > >coresponding password.  When I change to username2 and still put in
> > >password1 it will return password1.
> > >
> > >I have done some debuging and I am unsure of what is really happening.
> My
> > >code is below.  Would anyone be able to tell me what I am doing wrong.
> > >
> > >Thanks,
> > >
> > >Aaron
> > >
> > ><html>
> > ><body>
> > ><?php
> > >if ($submit) {
> > >  //VALID USERNAME/EMAIL ADDRESS
> > >  if
> >
> >(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.'@'.'[!#$%&\'*+\\/0-9=?A-Z^_`
> a
> > >-z{|}`]+\.'.'[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $username)) {
> > >    $error = "You must enter a valid email address for your
> username.<br>";
> > >    echo "$error<br>";
> > >  } else {
> > >    $db = mysql_connect("localhost", "username", "password");
> > >    mysql_select_db("database",$db);
> > >    $query = "SELECT * FROM users WHERE email LIKE '".$username."'";
> > >    echo "$query<br>";
> > >    $result = mysql_query($query,$db);
> > >    $num_rows = mysql_num_rows($result);
> > >    echo "There are $num_rows records matching $username<br>";
> > >    //VALID PASSWORD
> > >    echo "Entered User Name:  $username<br>";
> > >    echo "Entered Password:  $passw<br>";
> > >    if (strlen($passw) < 6 || !preg_match('/[a-z]/i', $passw) ||
> > >!preg_match('/[0-9]/', $passw)) {
> > >      $error = "Invalid Password.  Must be greater than six characters
> > >containing at least one number.<br>";
> > >      echo "$error<br>";
> > >    } else {
> > >      //USERNAME/EMAIL ADDRESS IN DATABASE
> > >      if (!$num_rows){
> > >        $error = "Username was not found.  Please Register.";
> > >        echo "$error<br>";
> > >        die(mysql_error());
> > >      } else {
> > >        //ENTERED PASSWORD IN DATABASE
> > >        if (!$passw = mysql_result($result,0,"pass")){
> > >          $error = "Invalid Password.<br>";
> > >          echo "$error<br>";
> > >        } else {
> > >          printf("Password is %s<br>\n", mysql_result($result,0,"pass"));
> > >        }
> > >      }
> > >    }
> > >  }
> > >} else {
> > >
> > >  ?>
> > >
> > ><form method="post" action="<?php echo $PHP_SELF?>">
> > >
> > >  User Name:<input type="Text" name="username"><br>
> > >
> > >  Password:<input type="Text" name="passw"><br>
> > >
> > >  <input type="Submit" name="submit" value="Enter information">
> > >
> > >  </form>
> > >
> > ><?php
> > >
> > >} // end if
> > >
> > >
> > >?>
> > >
> > ></body>
> > >
> > ></html>
> > >
> > >
> > >
> 
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
> !DSPAM:40fc074a164631045595694!
> 
> 


-- 
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder

paperCrane --Justin Patrin--

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux