Re: Slashes or no slashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote:

On Aug 23, 2010, at 9:31 PM, Chris wrote:


To be more specific. Is this correct?

function confirmUP($username, $password){
$username = mysql_real_escape_string($username);

/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";

I normally do it in the query in case you use the variable somewhere else but here it's ok because you don't use $username elsewhere. Be careful though, it may bite you and it will be difficult to track down.

eg

$q = "select password from table where username='" . mysql_real_escape_string($username) . "'";

echo "You entered " . htmlspecialchars($username) . ", either it was wrong or the password was wrong. Try again.";

Doing the escape_string before the query means you end up with (basically)

htmlspecialchars(mysql_real_escape_string($username));

which will cause weird characters to show up in certain cases.

$result = $this->query($q);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']);
$password = mysql_real_escape_string(md5($password));
$password = htmlspecialchars($password);

You're not displaying the password so don't htmlspecialchars it.

Just:

if ($dbarray['password'] == md5($password)) {
  return 0; // success!
}

Only specialchars it when you display it (like the echo above).

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Ahhh. I see.
But I do still put the escape on what they entered so it will match what is in the database.
Ok. Thank you Thank you Thank you.

Best,

Karl DeSaulniers
Design Drumm
http://designdrumm.com


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Just to make sure, cause I am ready to get past this.
Is this correct?

function confirmUP($username, $password){
	/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username = '".mysql_real_escape_string($username)."'";
      $result = $this->query($q);
      if(!$result || (mysql_numrows($result) < 1)){
         return 1; //Indicates username failure
      }

      /* Retrieve password from result */
      $dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray ['password']); //Or is this where I need to leave htmlspecialchars off too?

      /* Validate that password is correct */
      if(md5($password) == $dbarray['password']){
         return 0; //Success! Username and password confirmed
      }
      else{
         return 2; //Indicates password failure
      }
   }


Karl DeSaulniers
Design Drumm
http://designdrumm.com


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux