$_POST question from newb

Re: $_POST question from newb

Following on from Pete Horm's message. . .[color=blue]
>Hi everyone,
>I have a question about using this variable. I am new to programming and I
>had a book that was a couple of years old regarding php programming. None
>of the examples were working correctly, until I discovered that my new
>version of PHP 4.4 disabled global variables. I figured out how to make
>the following php script work correctly, but I don't know if the way I made
>it work is the accepted way of doing things with $_POST. I created new
>variables in the php script. If anyone could take a look at the following
>html and php script, and let me know if this is the right way of doing it
>or if there is a better way, I would greatly appreciate it. Thanks in
>advance. pete[/color]

A few random observations:
1 - Well done. If you've never programmed before - excellent. You
have achieved a great deal (probably a lot more than you realise) with a
small amount of code.

2 - You will learn a great deal from browsing the manual - either the
on-line version or the downloaded version to browse at your leisure.
<http://www.php.net/download-docs.php>

3 - You will also discover the existence of naughty people who don't use
your code 'like wot they ought'. There are two ways to do this: Either
by getting wise to the common methods of hacking PHP/SQL pages or not
getting wise to them. For example follow step 2 above and look for "SQL
Injection" (Hint: Now!)

4 - Debugging PHP is not the easiest thing in the world. You might find
print_r() being used a bit. Find out what you can about PHP Gotchas.

5 - There are plenty of web resources for PHP. Browse, surf, download
and study. You might use this NG for pointers to PHP+MySQL+Serve r
knowledge but we won't be rewriting your code unless we're exceptionally
bored. (Since there are as many wrong ways to write code as there are
right ways it's a bit of a lottery anyway.)

6 - Once you've dealt with item 3 your next challenge will be Sessions.
Some people never have a problem, others find it a struggle. If I were
you I'd play with some small test pages. Lots of print_r()s ahead!

7 - WRT your code :[color=blue]
>if ($num_rows > 0 ) {
> header("Locatio n: mailman_main.ph p");
>}else {
> header("Locatio n: failedlogon.htm l");
>}[/color]
I'd (a) test for what I came for not just 'something'
(b) Have hashed using say MD5 the p/w
(c) Not used an underscore in a page name

--
PETER FOX Not the same since the bra business went bust
peterfox@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

Thank you Peter (was: $_POST question from newb)

Hi Peter,
Thank you very much for replying to my question. I greatly appreciate the
advice. Have a great day.

pete

Re: $_POST question from newb

On Wed, 21 Dec 2005 02:37:51 GMT, Pete Horm <petehorm@hotma il.com> wrote:
[color=blue]
>If anyone could take a look at the following
>html and php script, and let me know if this is the right way of doing it
>or if there is a better way, I would greatly appreciate it.[/color]

<snip the HTML which looks pretty much OK>

Basically the PHP is using $_POST correctly, but it's missing error handling
and has a major security hole:
[color=blue]
>$connection = mysql_connect(" localhost","use r","password ");[/color]

Whenever you make mysql_* calls you should check the return value; you've done
this in the mysql_select_db below but not here.
[color=blue]
>$db = "mailman";
>
>mysql_select_d b($db,$connecti on) or die("Could not open $db");[/color]

mysql_error() can give more informative error messages, although it's up to
you whether you want to send the raw MySQL error message to the user or not.
[color=blue]
>$username = ($_POST['username']);
>$password = ($_POST['password']);[/color]

The brackets aren't necessary, but don't do any harm.
[color=blue]
>$sql = "Select * from users where username = '$username' and password =
>'$password'" ;[/color]

Serious trouble here - do a search for "sql injection attacks".

If $password contains quotes, then this will cause an error in the SQL. From
there, you can start putting in specific values that change the condition in
the SQL, for example you could send:

'' or 'x'='x

... as password, which results in:

Select * from users where username = 'username' and password = '' or 'x'='x'

This will return all the data in the table, so the page can be tricked in this
way to thinking it's got a valid login, when actually it hasn't.

Use mysql_escape_st ring() on all values before they get put into SQL.

Another approach is to use a database abstraction library, my favourite being
ADOdb (http://adodb.sourceforge.net), which can take away the worry of having
to remember to escape values. You can then write statements like:

$result = $db->Execute(
'select * from users where username = ? and password = ?',
array($username , $password)
);

The library then handles whatever is required to get the values into the
database, substituting the "?" placeholders with values that are escaped and
quoted if necessary (or other databases, such as Oracle, bind values separately
to running the statement), which makes avoiding SQL injection attacks much
easier.
[color=blue]
>$result = mysql_query($sq l,$connection) or die("Could not execute sql:
>$sql");
>
>$num_rows = mysql_num_rows( $result);[/color]

You ought to fetch the row and check it matches at least the username you
supplied, and if $num_rows > 1 that'd be suspicious.
[color=blue]
>if ($num_rows > 0 ) {
> header("Locatio n: mailman_main.ph p");[/color]

Location headers have to go to absolute URLs, e.g.


Relative URLs aren't allowed in the HTTP specifications, although most
browsers correct for this common mistake.
[color=blue]
>}else {
> header("Locatio n: failedlogon.htm l");
>}
>?>[/color]

--
Andy Hassall :: andy@andyh.co.u k :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

Re: $_POST question from newb

Just wanted to thank you Peter and Andy for responding. I really
appreciate the good advice that you gave.

pete