On Aug 23, 2010, at 9:31 PM, Chris wrote:

To be more specific. Is this correct?

function confirmUP($username, $password){
$username = mysql_real_escape_string($username);

/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";

I normally do it in the query in case you use the variable somewhere else but here it's ok because you don't use $username elsewhere. Be careful though, it may bite you and it will be difficult to track down.


$q = "select password from table where username='" . mysql_real_escape_string($username) . "'";

echo "You entered " . htmlspecialchars($username) . ", either it was wrong or the password was wrong. Try again.";

Doing the escape_string before the query means you end up with (basically)


which will cause weird characters to show up in certain cases.

$result = $this->query($q);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure

/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']);
$password = mysql_real_escape_string(md5($password));
$password = htmlspecialchars($password);

You're not displaying the password so don't htmlspecialchars it.


if ($dbarray['password'] == md5($password)) {
  return 0; // success!

Only specialchars it when you display it (like the echo above).

Postgresql & php tutorials

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Ahhh. I see.
But I do still put the escape on what they entered so it will match what is in the database.
Ok. Thank you Thank you Thank you.


Karl DeSaulniers
Design Drumm

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to