Help

Re: Help


Well, in answer to your question, you need to change a few lines:

For starters:

mysql_connect ("localhost" , "abdullah") or die ('My SQL Error: ' .
mysql_error());
mysql_select_db ("test");

should read:

$db = mysql_connect(" localhost", "abdullah") or die ('My SQL Error: ' .
mysql_error());
mysql_select_db ("test", $db);

Secondly:

$stuff = mysql_query("SE LECT * FROM 'jvsd0001_custo mers` WHERE
username='".$cu st_name."' AND password='".$cu st_pass."'")

should read:

$stuff = mysql_query("SE LECT * FROM jvsd0001_custom ers WHERE
username='".$cu st_name."' AND password='".$cu st_pass."'", $db);

This is because PHP can manage several databases at once, so you need to
give each database a variable name. I've chosen $db, but you can use
whatever you want.

Secondly, you should probably be using encrypted passwords. It's just a
good idea. It's even built right in to MySQL. Instead of using password =
"your password here", you would use password = password("your password
here"). This will encode the password into a 16-digit hexadecimal string.

Next, if a user enters a quotation mark into their username or password,
it'll screw up your query. I'm not sure if there's a simple way of fixing
this.

Hopefully, this helps.

--
Jonathan Lamothe
Founder of the Anime Void.

Re: Help

Jonathan Lamothe wrote:
[color=blue]
> Next, if a user enters a quotation mark into their username or password,
> it'll screw up your query. I'm not sure if there's a simple way of fixing
> this.
>[/color]

$sql .= "WHERE '".str_replace( "'","''",$dubio us_user_input). "'";

Re: Help

Look at your line:

username='".$cu st_name."' AND password='".$cu st_pass."'"

and write

username='$cust _name' AND password='$cust _pass'")

instead.
Eagle


On 24 Nov 2003 13:38:20 -0800, dali@cogeco.ca (Dal) wrote:
[color=blue]
>Help! I'm trying to get a login script to work.
>
>I get this error message
>
>MySQL Login Error: You have an error in your SQL syntax near
>''jvsd0001_cus tomers` WHERE cust_name='test user' AND
>cust_pass='tes t123'' at line 1
>
>I'm using a database called test
>here is mysql table:
>mysql> select * from jvsd0001_custom ers;
>+---------+-----------+---------------+
>| cust_id | cust_name | cust_password |
>+---------+-----------+---------------+
>| 1 | testuser | test123 |
>+---------+-----------+---------------+
>1 row in set (0.00 sec)
>
>[jvsd0001@hal] pico login.php
>
> UW PICO(tm) 4.2 File:
>login.php Modified
>
><?php
>$username = $_POST['user'];
>$password = $_POST['pass'];
>if (!$_POST['pass'] && !$_POST['user']) {
>?>
><html><b>Membe r Login</b>
><br><form method="POST">U sername:
><br><input type="text" name="user" value="">
><br>Password :
><br><input type="text" name="pass" value="">
><br><input type="submit" name="submit" value="Login">
><?php
>} else {
>mysql_connec t ("localhost" , "abdullah") or die ('My SQL Error: ' .
>mysql_error()) ;
>mysql_select_d b ("test");
>$stuff = mysql_query("SE LECT * FROM 'jvsd0001_custo mers` WHERE
>username='".$c ust_name."' AND password='".$cu st_pass."'") or
>die("MySQL
>Login Error: ".mysql_error() );
>if (mysql_num_rows ($stuff) > 0) {
>echo("Logged in");
>} else {
>echo("Login Incorrect. Please Try Again!");
>}
>}
>?>
>
>What's wrong???
>
>I can't get this script to work either.
>
><?php
> if(!isset($HTTP _POST_VARS['cust_name'])&&!isset($HTTP _POST_VARS['cust_pass']))
> {
> //Visitor needs to enter a name and password
>?>
> <h1>Please Log In</h1>
> This page is secret.
> <form method="post" action="secretd b.php">
> <table border="1">
> <tr>
> <th> Username </th>
> <td> <input type="text" name="cust_name "> </td>
> </tr>
> <tr>
> <th> Password </th>
> <td> <input type="password" name="cust_pass "> </td>
> </tr>
> <tr>
> <td colspan="2" align="center">
> <input type="submit" value="Log In">
> </td>
> </tr>
> </table>
> </form>
><?php
> }
> else
> {
> // connect to mysql
> $mysql = mysql_connect( 'localhost', 'abdullah');
> if(!$mysql)
> {
> echo 'Cannot connect to database.';
> exit;
> }
> // select the appropriate database
> $mysql = mysql_select_db ( 'test' );
> if(!$mysql)
> {
> echo 'Cannot select database.';
> exit;
> }
>
> // query the database to see if there is a record which matches
> $query = "select count(*) from jvsd0001_custom ers where
> cust_name = '$cust_name' and
> cust_pass = '$cust_pass'";
>
> $result = mysql_query( $query );
> if(!$result)
> {
> echo 'Cannot run query.';
> exit;
> }
>
> $count = mysql_result( $result, 0, 0 );
>
> if ( $count > 0 )
> {
> // visitor's name and password combination are correct
> echo '<h1>Here it is!</h1>';
> echo 'I bet you are glad you can see this secret page.';
> }
> else
> {
> // visitor's name and password combination are not correct
> echo '<h1>Go Away!</h1>';
> echo 'You are not authorized to view this resource.';
> }
> }
>?>
>
>
>
>Can abody tell me what I'm doing wrong here, please![/color]

Re: Help

[color=blue]
>password = password("your password
>here").[/color]

Hi !

What function is this ???????
It's not even listed in the PHP.net manual or anywhere else I look.
Am I missing something?

Eagle

Re: Help

Eagle wrote:
[color=blue]
> Look at your line:
>
> username='".$cu st_name."' AND password='".$cu st_pass."'"
>
> and write
>
> username='$cust _name' AND password='$cust _pass'")
>
> instead.
> Eagle
>[/color]

Am I missing something or is that just a coding style issue.

Personally, I prefer the former. It separates the variables out more
clearly and is therefor easier to read for me.

I NEVER include variables references in a double quoted string literals.
But that's just my style.

Re: Help

"Eagle" <eagleflyer2@ly cos.com> wrote in message
news:rp06svckgi rem2pg0drqunncv vkqisbemc@4ax.c om...[color=blue]
>[color=green]
> >password = password("your password
> >here").[/color]
>
> Hi !
>
> What function is this ???????
> It's not even listed in the PHP.net manual or anywhere else I look.
> Am I missing something?
>
> Eagle
>[/color]
It is a function in MySQL, not PHP.