password() and select statement

Re: password() and select statement

chsadaki@hotmai l.com wrote:How are you putting the values into the table? What versions are the
MySQL server and the client libraries you're using in PHP?

What do you get if you do echo the password in the database and the
results of PASSWORD('$pass ')?


--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: password() and select statement

*** chsadaki@hotmai l.com escribió/wrote (24 Jul 2006 06:45:12 -0700):Unquoted strings are constants that you must define this way:

define('foo', 'bar');
echo foo; // prints bar

You probably mean:

$user = $_POST['username'];
$pass = $_POST['password'];
I suggest you read this article about SQL Injection:



You're retrieving all the row data when all you need is knowing whether the
record exists. It's not good programming practice and, believe me, it's far
easier to learn the right way from the beginning than changing your habits
afterwards. I suggest you either get the primary key.
I presume you're aware of the fact that you must also protect
"administrator2 .php" or anyway will be able to bypass the login screen.
The first test you must do is printing all strings on screen:

echo '<pre>';
var_dump($_POST );
var_dump($q);
echo '</pre>';

If SQL query looks OK, paste it in your favourite MySQL front end check if
it returns the expected result.

Also, check whether mysql_query() returned a result resouce or FALSE, don't
use the value blindly.


--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor con rayos UVA: http://www.demogracia.com
--

Re: password() and select statement


Alvaro G. Vicario wrote:
Actually my problem is not in quoted strings, cos if I execute this
statement I get a row:

$q = mysql_query("SE LECT username FROM admin WHERE username = '$user'
");
well the real problem is that after inserting for example this record
by using the function
Password()

mysql_query("in sert into admin values('$user', password('$pass '))");

I cant retrieve this record by using this statement:
$q = mysql_query("SE LECT username FROM admin WHERE username = '$user'
and password= password('$pass ')");

cos the password now is encrypted in the table admin, for example '123'
is in the table '773359240e'
so how can I get the record ??? Cos I tried to print the result of
mysql_query but it was empty.

Shameram Sadaki

Re: password() and select statement


chsadaki@hotmai l.com wrote:The Password Function in MySQL is only meant for the MySQL user table.

Quote from MySQL docs: "The PASSWORD() function is used by the
authentication system in MySQL Server; you should not use it in your
own applications" See


You had the right idea, though. I use SHA(), and store the password in
a column with a CHAR(40) datatype.

Re: password() and select statement


Noodle wrote:Thank you, it is working now. But I used md5() instead of sha() in both
the insert and the select statements.

thanx
shameram sadaki

According to the MySql manual: meaning that you only use it for MySql administration purposes.

You can use the following statement to setup your userid/password using the SHA1 (or something else). The other one shows how to retrieve it from the database:

[PHP]
The passsword create MySql code:

CREATE TABLE IF NOT EXISTS authorized_user s (
userid VARCHAR(20) NOT NULL PRIMARY KEY,
passwd CHAR(40) NOT NULL);

INSERT INTO authorized_user s VALUES ( 'johnny', sha1('mypw') );

The retrieve MySql code:

SELECT * FROM authorized_user s WHERE userid='$userid '
AND passwd=sha1('$p asswd')[/PHP]

Hope it is more clear now.

Ronald :cool: