Hi Jas:

> if ((!$u_name) || (!$p_word) || (!$image)){

What if the variables aren't submitted at all?  Better to test for 
empty() on each variable.  Avoids Warnings if error reporting is high.

> require '/path/to/database/connection/script/dbcon.php';

Put a @ in front of that require to keep an error message from revealing 
the paths of your two vital scripts.

> $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw =
> password(\"$pw\")";

You're sending uncleaned information to your database.  Not cool.  Use 
regular expressions to make sure there are no nasty characters and that 
the items conform to expected parameters.

>   $p_hash = "$p_word";
>   $to_hash = "$image";

Why waste time assigning these things to other variables when you don't 
need to?  Also, the quotes are superfluous.

>   $pstring = md5($to_hash);
>   $image_sel = md5(uniqid(microtime($p_word),1));
>    session_start();
>    session_register('user');
>    session_register('$pstring');
>    session_register('$image_sel');

Exactly why are you storing all of this stuff in the session?  You've 
aleady validated them upfront.

Dude, let me be straight up.  The reason I didn't reply thusfar is you
sent a huge mass of poorly formatted code to the list.  I took one look 
at it and thought, why do I need to deal with that mess.


               PHP classes that make web design easier
        SQL Solution  |   Layout Solution   |  Form Solution
    sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY     v: 718-854-0335     f: 718-854-0409

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to