Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."'";
Perfect.
/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']); //Or is
this where I need to leave htmlspecialchars off too?
Leave it off.
You're not displaying $dbarray['password'] here - so you don't need to
use htmlspecialchars.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
