Re: Begining PHP...Have Questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That makes great sence, however when I tried using $_POST in my SQL
statement it would not work.

This works fine:
$query = "SELECT * FROM users WHERE email='".$username."'";
But this one doesnt at all:
$query = "SELECT * FROM users WHERE email='",$_POST['username'],"'";

It does however work for  all the echo commands and It is also correct when
I echo the statement:
echo "SELECT * FROM users WHERE email='",$_POST['username'],"'";

Am I missing something?

Thanks again,

Aaron




"Justin Patrin" <papercrane@xxxxxxxxx> wrote in message
news:432beae04071910563e6199ed@xxxxxxxxxxxxxxxxx
> You should generally $_POST for all posted variables, $_GET for all
> "get" variables (in the query string / url), and the other
> superglobals for other such things. If you don't care if it's POST,
> GET, or a cookie, you can use $_REQUEST.
>
> register_globals is a setting in your php.ini. It's best practice to
> set this to "off". What this means for you is that variables sent by
> the user are not registered as global variables. i.e. $username will
> no longer work, you have to use $_POST['username']. Search the php
> lists for lots more discussion on this matter.
>
> For more on superglobals:
> http://www.php.net/manual/en/language.variables.predefined.php
> For the list archives, click the "Archive" links here:
> http://www.php.net/mailing-lists.php
>
> On Mon, 19 Jul 2004 13:27:15 -0400, Aaron Todd <aaloki88@xxxxxxxxxxx>
wrote:
> > Jon,
> >
> > Thanks for the info.  I did change the LIKE to =.  This was done just
for my
> > debugging.  I do have it set to = on a normal basis.
> >
> > I am a little unsure what you mean at the end of your reply about
register
> > globals.  Are you saying that everywhere I use $username to refer to the
> > users inputed username I should use $_POST['username'] instead?  Or are
you
> > suggesting to use this in one location.
> >
> > Thanks again for the reply,
> >
> > Aaron
> >
> > "Jonathan Haddad" <jon@xxxxxxxxxxxxxxxxx> wrote in message
> > news:40FC00A8.1080402@xxxxxxxxxxxxxxxxxxxx
> >
> >
> > > if you have shell access, please do the following
> > >
> > > describe users;
> > > select * from users;
> > >
> > > also, why are you using LIKE instead of =?
> > > use this instead:
> > >
> > > $query = "SELECT * FROM users WHERE email = '".$username."'";
> > >
> > > i would also suggest turning off register globals and using
> > > $_POST['username'] and not $username. (i'm assuming it's on given your
> > code)
> > >
> > > Jon
> > >
> > > Aaron Todd wrote:
> > >
> > > >I am just starting out with PHP and I have created a simple login
program
> > > >that is supposed to check users input with a mysql database.  I am
doing
> > 5
> > > >verifications before the program is completed...Check for the Submit
> > button,
> > > >check for a valid email address(which is the username), check for a
valid
> > > >password, check to see if the username exists in the database, and
> > finally
> > > >check to see if the password matches the database for the
coresponding
> > > >username.  Currently you dont get access to a site you only get told
what
> > > >your password is in the database.
> > > >
> > > >Everything is technically working, but its not perfect and I think I
need
> > > >some help.  I have entered 2 records in the database for testing
> > purposes.
> > > >When I put in username1 and password1 it works.  The program returns
the
> > > >coresponding password.  When I change to username2 and still put in
> > > >password1 it will return password1.
> > > >
> > > >I have done some debuging and I am unsure of what is really
happening.
> > My
> > > >code is below.  Would anyone be able to tell me what I am doing
wrong.
> > > >
> > > >Thanks,
> > > >
> > > >Aaron
> > > >
> > > ><html>
> > > ><body>
> > > ><?php
> > > >if ($submit) {
> > > >  //VALID USERNAME/EMAIL ADDRESS
> > > >  if
> > >
> >
>(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.'@'.'[!#$%&\'*+\\/0-9=?A-Z^_`
> > a
> > > >-z{|}`]+\.'.'[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $username)) {
> > > >    $error = "You must enter a valid email address for your
> > username.<br>";
> > > >    echo "$error<br>";
> > > >  } else {
> > > >    $db = mysql_connect("localhost", "username", "password");
> > > >    mysql_select_db("database",$db);
> > > >    $query = "SELECT * FROM users WHERE email LIKE '".$username."'";
> > > >    echo "$query<br>";
> > > >    $result = mysql_query($query,$db);
> > > >    $num_rows = mysql_num_rows($result);
> > > >    echo "There are $num_rows records matching $username<br>";
> > > >    //VALID PASSWORD
> > > >    echo "Entered User Name:  $username<br>";
> > > >    echo "Entered Password:  $passw<br>";
> > > >    if (strlen($passw) < 6 || !preg_match('/[a-z]/i', $passw) ||
> > > >!preg_match('/[0-9]/', $passw)) {
> > > >      $error = "Invalid Password.  Must be greater than six
characters
> > > >containing at least one number.<br>";
> > > >      echo "$error<br>";
> > > >    } else {
> > > >      //USERNAME/EMAIL ADDRESS IN DATABASE
> > > >      if (!$num_rows){
> > > >        $error = "Username was not found.  Please Register.";
> > > >        echo "$error<br>";
> > > >        die(mysql_error());
> > > >      } else {
> > > >        //ENTERED PASSWORD IN DATABASE
> > > >        if (!$passw = mysql_result($result,0,"pass")){
> > > >          $error = "Invalid Password.<br>";
> > > >          echo "$error<br>";
> > > >        } else {
> > > >          printf("Password is %s<br>\n",
mysql_result($result,0,"pass"));
> > > >        }
> > > >      }
> > > >    }
> > > >  }
> > > >} else {
> > > >
> > > >  ?>
> > > >
> > > ><form method="post" action="<?php echo $PHP_SELF?>">
> > > >
> > > >  User Name:<input type="Text" name="username"><br>
> > > >
> > > >  Password:<input type="Text" name="passw"><br>
> > > >
> > > >  <input type="Submit" name="submit" value="Enter information">
> > > >
> > > >  </form>
> > > >
> > > ><?php
> > > >
> > > >} // end if
> > > >
> > > >
> > > >?>
> > > >
> > > ></body>
> > > >
> > > ></html>
> > > >
> > > >
> > > >
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> > !DSPAM:40fc074a164631045595694!
> >
> >
>
>
> -- 
> DB_DataObject_FormBuilder - The database at your fingertips
> http://pear.php.net/package/DB_DataObject_FormBuilder
>
> paperCrane --Justin Patrin--

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux