On Aug 23, 2010, at 10:35 PM, Chris wrote:
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."'";
Perfect.
/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']); //
Or is
this where I need to leave htmlspecialchars off too?
Leave it off.
You're not displaying $dbarray['password'] here - so you don't need
to use htmlspecialchars.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Got it. So only when I am going to diplay the result from the
database. I see.
But for comparing $dbarray['password'] to $password, don't I have to
escape $password and then md5 it?
TIA
Karl DeSaulniers
Design Drumm
http://designdrumm.com
@david.lopez: Your emails are getting blocked by my isp, so I have
not seen any of your emails. Not ignoring you, promise.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
