Hello again.
I have tried to use password() in my login-script but it did not work.

My code is:

$sql = "SELECT * FROM users";
$sql .= " WHERE username ='" .
mysql_real_escape_string($_POST['username']) . "' ";
$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";

What is wrong in this?
And how should I write it?

Thanks for all help!

Karl

On Mon, 08 Sep 2008 07:46:10 -0700, karlarneg wrote:

Quote:

I have tried to use password() in my login-script but it did not work.

Why did it not work? Did you get an error message? What have you tried?

Quote:

$sql = "SELECT * FROM users";
$sql .= " WHERE username ='" .
mysql_real_escape_string($_POST['username']) . "' "; $sql .= " AND pwd =
(PASSWORD( ' " . $_POST['pwd'] . " ' )) ";

Maybe it is the spaces within the '' which are the problem.

karlarneg@gmail.com wrote:

Quote:

Hello again.
I have tried to use password() in my login-script but it did not work.
>
My code is:
>
$sql = "SELECT * FROM users";
$sql .= " WHERE username ='" .
mysql_real_escape_string($_POST['username']) . "' ";
$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";
>
What is wrong in this?
And how should I write it?
>
Thanks for all help!
>
Karl
>

Karl,

A bigger question is - why are you storing web users in the MySQL user
table? That should be only for MySQL users - and your website users
should never have MySQL user id's.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Jensen Somers wrote:

Quote:

Jerry Stuckle wrote:

Quote:

>
Who said he is using the MySQL users table? It's not because his users
table is also called users he is mixing it with the MySQL users table.
>

Yes, that's true. However, additionally, if he would have asked in the
correct newsgroup (PASSWORD is not a PHP function), he would have found
he shouldn't be using PASSWORD for encrypting user passwords.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On 8 Sep, 18:46, Jerry Stuckle <jstuck...@attglobal.netwrote:

Quote:

Jensen Somers wrote:

Quote:

>

Quote:

>

Quote:

>

Quote:

>

Quote:

>

Quote:

>

Quote:

>

Quote:

>

Quote:

>
Yes, that's true. *However, additionally, if he would have asked in the
correct newsgroup (PASSWORD is not a PHP function), he would have found
he shouldn't be using PASSWORD for encrypting user passwords.
>

I use md5 and sha1 instead of password(); Now I have the result I was
looking for:)

Now I have to find out how I can do the input sensitive!
I have to control that uppercase and lowercase are exactly written
into the field as it is stored in the database!

Thanks for all help and advice!

Karl

..oO(karlarneg@gmail.com)

Quote:

>I have tried to use password() in my login-script but it did not work.
>
>My code is:
>
>$sql = "SELECT * FROM users";
>$sql .= " WHERE username ='" .
>mysql_real_escape_string($_POST['username']) . "' ";
>$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";

The $_POST['pwd'] variable has to be escaped as well! You should also
consider using sprintf() or prepared statements to create the query,
e.g.

$sql = "
SELECT ... -- you should explicitly list the columns to retrieve
FROM users
WHERE username = '%s'
AND pwd = PASSWORD('%s')
";
$query = sprintf($sql,
mysql_real_escape_string($_POST['username']),
mysql_real_escape_string($_POST['pwd'])
);

Micha