thminco

Here is what i have moving the string from temp table to permanent table... $query="SELECT * FROM ttmmodeltemp WHERE `processed` = 'No' AND `verified` = 'Yes'"; $result=mysql_query($query) or die("Error: ". mysql_error(). " with query ". $query); $num=mysql_num_rows($result); $i=0; while ($i < $num) { $displayheight=mysql_result($result,$i,"Display height"); $sql="INSERT INTO ttmmodels (`Display height`) VALUES ('$displayheight')"; $i++; }

PFM if I manually put in the backslashes in the `ttmmodeltemp` table, then my code seamlessly moves 5\' 10\" into the permanent table and stores it correctly as 5' 10", ready to display later. Thus, I am trying to eliminate this manual correction and have the temp table string stored as 5\' 10\". I'm sure there is an easier way, but it's beyond me.

OK thanks...I will play with it some more, but what is the '%s' doing in the query?

PFM I am trying to get the backslashes into the table!

HHHHMMM that looks very similar to what I tried...I created the variable like this $displayheight = "5\\"."\'"." 10\\"."\""; The insert just puts it in as 5' 10"

OK..here is the part of the code I have where I am trying to take a string from an sql table that contains the single and double quote and put it into another table. How do I escape this variable ($displayheight) so it will work? $query="SELECT * FROM ttmmodeltemp WHERE `processed` = 'No' AND `verified` = 'Yes'"; $result=mysql_query($query) or die("Error: ". mysql_error(). " with query ". $query); $num=mysql_num_rows($result); $i=0; while ($i < $num) { $displayheight=mysql_result($result,$i,"Display height"); $sql="INSERT INTO ttmmodels (`Display height`) VALUES ('$displayheight')"; $i++; }

It's a long story...basically I'm a rookie and this is the easiest solution I can come up with

I am trying to take this string... 5' 10" And insert it into an sql table as this... 5\' 10\" when I create the following variable, it gets inserted into the sgl table without the backslashes. $displayheight = "5\' 10\""; I tried to figure this out using the php manual (It says use a double backslash for a "literal" backslash...whatever that is?)

I'm trying to take this input string from an html form.... 5' 10" 1) Put it into an sql table (this part is working) 2) Take it out of first sql table using a php script and put it into a different sql table (this part is not working) Here is what I have code wise... The html form creates the variable "height" and assigns an integer for the chosen height: <select name="height" id="height2" size="1"> <option value="70">5' 10"</option> The form processing script takes the variable integer and creates a variable for display as 5' 10" $height = $_POST['height']; IF ($height == "70") {$displayheight = "5\' 10\"";} The same script then "inserts" string into first table as 5' 10" When the second script tries to use the string, I get hung up because of the single and double quotes in the string. I'm using this in a while loop to extract the string from an array... $height=mysql_result($result,$i,"Height"); Do I need to "escape" the variable at this point? Or do I have to store it in the first table with backslashes escaping both the single and double quotes? OR? As always, any help is greatly appreciated!!

Did you mean as below? (I tried that) <input type="hidden" name="httpreferer" value="<?php echo $_SERVER['HTTP_REFERER']; ?>" />

Can someone please tell me what I am doing wrong here? For some reason, the variable doess not seem to be getting passed to the "action" php script this input is in my html form (action=post)... <input type="hidden" name="httpreferer" value="<?php echo $_SERVER['HTTP_REFERER'] ?>" /> this is in the action script... $httpreferer=$_POST['httpreferer']; echo $httpreferer;

I'm thinking of using md5 &/or sha1 and salt to store passwords into an sql database table. My question is..would it not be safer to store the salt "clear text" in another table and just leave a "key" so to speak in the table with the password. In other words, if a hacker gets into the password and key table by using sql injection, does he only have access to that table since he wouldn't even know the name of the other table unless he also was able to access the script code.

I am building a new site for my brother and was wondering what the users out here thought about the many options for password security in a MYSQL database. Is using md5 &/or sha1 with some scheme of salting enough? I am also curious about AES & BLOWFISH. How are these implemented? Also, are php code files on a server subject to the same security issues as an SQL database? (In other words, can hackers get at these files to view the code which might include schemes for salting?) Thanks to all, Newbie Tom Edit (KP): No need to shout

Very interesting Dan and it makes a lot of sense now. What about using both md5 and sha1 and salt and concatenating them all together? Would that be another layer of defense? Or maybe 2 password fields stored in the database, one with the md5 data and one with the sha1 data?

DAN!!!!!!!!!! You are truly the man! There was one blank line in the code before the opening php (<?php) statement in line 2. Once I deleted that first blank line...It worked just fine! Thank you so much for all your help, and BTW I will look into the other encrypting method you mentioned. I have only 2 passwords in the database (one of them encrypted/hashed) so now is a good time to start using whatever is the best encryption!! Thanks again SO MUCH to everyone who helped! I am sure my code is overall a LOT cleaner and better, but with plenty still to do!! Tom

I can't figure out what this means: "session_start() and header() must be called before any output to the browser." What is meant by output to the browser? The calling of the header function? I do call "session_start();" at the start of my code and per the manual am supposed to also call "session_name" before "session_start" and before any other code, thus I now have my code beginning as follows: <?php session_name("sfjloginsession"); session_start(); // TURN ON ERROR REPORTING ini_set('display_errors',1); error_reporting(-1); My latest error gives this: Warning: Cannot modify header information - headers already sent by (output started at /home2/scripts3/public_html/sfjlogin.php:2) in /home2/scripts3/public_html/sfjlogin.php on line 46 Is this maybe because I have some session info already stored and need to clear it??

Thanks xyph...I put that code in and got this error message: Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home2/scripts3/public_html/sfjlogin.php:2) in /home2/scripts3/public_html/sfjlogin.php on line 7 1thomas Warning: Cannot modify header information - headers already sent by (output started at /home2/scripts3/public_html/sfjlogin.php:2) in /home2/scripts3/public_html/sfjlogin.php on line 43 It seems I have something wrong with the way I am using "session_start()" on line 7?? I am headed back to the manual, but unfortunately it is a little bit greek for me! Thanks to everyone for the help!! BTW...thanks Dan for the tip on using encryption!! Very cool!! Also, it seems like I really don't need the escaping for sql injection since I am not inserting or appending to the sql database in this script?? Here is my entire code at this point: <?php ini_set('display_errors',1); error_reporting(-1); session_start(); // IMPORT FORM VARIABLES $fusername=$_POST['fusername']; $fpassword=$_POST['fpassword']; // CONNECT TO SERVER AND SELECT DATABASE mysql_connect("localhost", "scripts3_public", "******")or die("cannot connect"); mysql_select_db("scripts3_sfj")or die("cannot select DB"); // PROTECT AGAINST MYSQL INJECTION mysql_real_escape_string($fusername); mysql_real_escape_string($fpassword); // ENCRYPT FORM PASSWORD TO COMPARE WITH DATABASE ENCRYPTED PASSWORD $encrypt_fpassword=md5($fpassword); // LOOKUP USERNAME AND PASSWORD IN DATABASE COMPARED TO FORM ENTRIES $sql="SELECT * FROM `users` WHERE `User name` = '$fusername' AND `Password` = '$encrypt_fpassword'"; $result=mysql_query($sql); if(!mysql_num_rows($result)) {echo "No results returned.";} // COUNT RESULTS $count=mysql_num_rows($result); // IF COUNT IS 1,REGISTER USERNAME AND PASSWORD AND REDIRECT if($count==1){ echo $count; echo $fusername; $_SESSION['fusername']=$fusername; $_SESSION['fpassword']=$fpassword; header("Location: http://www.******.com/login_success.php"); die(); } else { echo "Wrong Username or Password"; } ?>

Sorry gang, I double posted! Man, it hurts being such a newbie!

Thanks drummin. I changed to the double quotes but get the same result...an output of the $fusername and $count variables but no url redirection.

Yes, if I add the 2 echo statements below, I get an output as follows: 1thomas This is what I would expect and shows that I have made it into the "IF" function successfully. if($count==1){ echo $count; echo $fusername; // Register $fusername, $fpassword and redirect to file "login_success.php" $_SESSION['fusername']=$fusername; $_SESSION['fpassword']=$fpassword; header('Location: http://www.***.com/login_success.php'); die(); } else { echo "Wrong Username or Password"; } ?>

BTW Dan, when I view source from the browser at sfjlogin.php I don't see anything (because it is all php on the server?) I don't get redirected anywhere from there. Thanks very much again!!! Tom

Thanks again everyone. I feel like I should be paying you all for this help!! I corrected all the landing file errors but don't think I am even getting to that page (file) because the url doesn't change in my browser address box. I have 5 sites that are all using php flawlessly (with I'm sure lots of newbie coding flaws) at my host. (They are using php5.2... something) I had some little echo statements in the if execution at the end of my code to make sure I was getting that far and the echos worked fine, so I'm pretty sure its not an exersize in futility. UPDATED CODE FROM INITIAL SCRIPT... if($count==1){ // Register $fusername, $fpassword and redirect to file "login_success.php" $_SESSION['fusername']=$fusername; $_SESSION['fpassword']=$fpassword; header('Location: http://www.***.com/login_success.php'); die(); } else { echo "Wrong Username or Password"; } ?> UPDATED CODE FROM LANDING FILE PAGE (login_success.php)... <?php session_start(); if(!$_SESSION['fusername']){ header("Location: sfjlogin.php"); die(); } ?> <html> <body> Login Successful </body> </html>

OK, here is my updated code thanks to all of the wonderful corrections (Thank you all SO MUCH!!) The script is still not doing the re-direct for some reason?? Yes, I was indeed getting help from an (old) online tutorial as I am very new to the log in work. Dan...I don't even know what magic quotes are?? Should I still not use the stripslashes?? Also included below is the landing file code. if($count==1){ // Register $fusername, $fpassword and redirect to file "login_success.php" $_SESSION["fusername"]=$fusername; $_SESSION["fpassword"]=$password; header("Location: login_success.php"); die(); } else { echo "Wrong Username or Password"; } ob_end_flush(); ?> LANDING FILE CODE: <? session_start(); if(!session_is_registered(fusername)){ header("location:sfjogin.php"); } ?> <html> <body> Login Successful </body> </html>

This is my first attemp at a log in system for a website. Everything seems to work fine until the "successful" IF function near the end. All I get it an output of "?>" instead of a redirect to the file "login_success.php". Any help would be GREATLY appreciated!! Tom <?php // Connect to server and select databse. mysql_connect("localhost", "scripts3_public", "sfj123!")or die("cannot connect"); mysql_select_db("scripts3_sfj")or die("cannot select DB"); // username and password sent from form $fusername=$_POST['fusername']; $fpassword=$_POST['fpassword']; // To protect MySQL injection (more detail about MySQL injection) $fusername = stripslashes($fusername); $fpassword = stripslashes($fpassword); $fusername = mysql_real_escape_string($fusername); $fpassword = mysql_real_escape_string($fpassword); $sql="SELECT * FROM `users` WHERE `User name` = '$fusername' AND `Password` = '$fpassword'"; $result=mysql_query($sql); if(!mysql_num_rows($result)) {echo "No results returned.";} // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $fusername and $fpassword, table row must be 1 row if($count==1){ // Register $fusername, $fpassword and redirect to file "login_success.php" session_register("fusername"); session_register("fpassword"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ?>

Can someone please give me some ideas as to what might be wrong with this query...I keep getting no result and am echoing $count for debugging (and usernames and passwords) but get nothing for $count (expecting a 0 or a 1) or $dbusername or $dbpassword $sql="SELECT * FROM `users` WHERE `User name` = '$fusername' and `Password` = '$fpassword'"; $result=mysql_query($sql); $dbusername=mysql_result($result,0,"User name"); $dbpassword=mysql_result($result,0,"Password"); echo $dbusername; echo $dbpassword; // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $fusername and $fpassword, table row must be 1 row echo $fusername; echo $fpassword; echo $count; if($count==1){ (This is where I keep going to the else)