Re: Slashes or no slashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Aug 23, 2010, at 9:31 PM, Chris wrote:


To be more specific. Is this correct?

function confirmUP($username, $password){
$username = mysql_real_escape_string($username);

/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";

I normally do it in the query in case you use the variable somewhere else but here it's ok because you don't use $username elsewhere. Be careful though, it may bite you and it will be difficult to track down.

eg

$q = "select password from table where username='" . mysql_real_escape_string($username) . "'";

echo "You entered " . htmlspecialchars($username) . ", either it was wrong or the password was wrong. Try again.";

Doing the escape_string before the query means you end up with (basically)

htmlspecialchars(mysql_real_escape_string($username));

which will cause weird characters to show up in certain cases.

$result = $this->query($q);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']);
$password = mysql_real_escape_string(md5($password));
$password = htmlspecialchars($password);

You're not displaying the password so don't htmlspecialchars it.

Just:

if ($dbarray['password'] == md5($password)) {
  return 0; // success!
}

Only specialchars it when you display it (like the echo above).

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Ahhh. I see.
But I do still put the escape on what they entered so it will match what is in the database.
Ok. Thank you Thank you Thank you.

Best,

Karl DeSaulniers
Design Drumm
http://designdrumm.com


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux