Chetan Graham wrote:
Greetings to All,
I am having difficulty in 'md5'ing a $var in a function before it is
placed into the ("INSERT INTO table...
The whole point is I don't want the MySQL DB logs showing my $var's
password and username 'before' it is encrypted by MySQL's md5.
When MySQL receives PHP's encrypted $var the log shows query INSERT with
the 32 bits but it is not inserted into the DB.
MySQL will not accept the $var's in the code that is commented out.
It shows no errors by the way.
MySQL accepts what is shown, but this is not as I explained what I want.
Thanks In Advance,
Chetan
mysql_query("CREATE TABLE IF NOT EXISTS docproedit (
id int(11) NOT NULL auto_increment,
username BLOB NOT NULL default '',
password BLOB NOT NULL default '',
TimeEnter timestamp,
PRIMARY KEY (id)
)
ENGINE=MyISAM;")or die('Create Died' . mysql_error());
<?php
$db_server='localhost';
$db_user='root';
$db_pass='somepassword';
$db_name='aims site';
$tbl_name='docproedit';
$con = mysql_connect($db_server,$db_user,$db_pass) or die(mysql_error());
$q=mysql_select_db($db_name, $con) or die(mysql_error());
function addNewUser($username,$password){
global $q;
global $tbl_name;
global $con;
//$user=md5($username);
//$pass=md5($password);
//mysql_query("INSERT INTO $tbl_name
(username,password)VALUES('$user'),('$pass')");
You need to use mysql_real_escape_string in your queries so things like
' and " get escaped properly.
Otherwise you end up with:
$username = "my 'username";
$password = "my 'password";
insert into table(username, password) values ('my 'username', 'my
'password');
This is called sql injection and you need to check to make sure they are
escaped.
Please read http://phpsec.org/projects/guide/3.html
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
