login prob,, why?

[justAnoob]

this doesn't work,,, but my registration script works like this.

<?php
$username = $_POST['username'];
$password = $_POST['password'];

$sql=sprintf("SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1",
              mysql_real_escape_string($username),
              md5($pasword));
?>

and this works

<?php
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);

$sql="SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1";
?>

[Ken2k7]

If you want to use sprintf, change $username and $password to %s.

[justAnoob]

what exactly does sprintf do?  and how come in my register script I did not have to make that change?

do I need to use sprintf?

[justAnoob]

this works fine for my reg script

<?php
$username = $_POST["username"];
$sql = sprintf("SELECT * FROM $tbl_name WHERE username = '$username'", mysql_real_escape_string($username));
$result=mysql_query($sql);
?>

[Ken2k7]

No, you don't have to use sprintf. It's actually better if you don't apply functions blindly if you don't know what they do and then come here and ask why it doesn't work and if you need to use it. If you don't know something, it's better to ask a more straight forward question.

 

Anyways, php.net is a great resource site for all things PHP. sprintf.

 

Edit - that's because you're not applying sprintf correctly. In you first post, $password is not hashed. So when you run the SQL, $password is still the original string the user typed in, not the hashed one in the DB. Read up on sprintf. I have the link above.

[justAnoob]

Now i get an error with the comma

 

$sql = "SELECT * FROM $tbl_name WHERE username = '$username'", mysql_real_escape_string($username);

[Ken2k7]

Just out of curiosity, where in the link that I posted did it tell you to do that?

[Andy-H]

http://php.net/sprintf

 

The function takes a string with variables to be replaced formatted like so:

 

%s = A string

%d = an integer

 

For now these are probably all you will need, theres a full list at the link on php.net

 

It then takes variables which are used to replace the % formatted data within the string, the first %? will be replaced by the first passed paramater, the 2nd %? by the second param etc...

 

SO for your query to work, it needs to be in the following format...

$sql = sprintf("SELECT * FROM %s WHERE username = '%s' AND password = '%s' LIMIT 1",
   $tbl_name,
   mysql_real_escape_string($username),
   md5($password) );

[justAnoob]

still having probs with it that way,,, I need to look into some more... I though sprintf did something else,,, sorry guys..

[haku]

You also need to stop using these triple commas. Annoying as hell. I even have the answer to your question/problem, but I'm not going to bother telling you.

[justAnoob]

why would you say something like that?

[justAnoob]

if you have some input, it would be great to hear it. I'm not just going to copy and paste. I like to learn PHP. Sometimes it is hard to find exactly what I'm looking for.

[Andy-H]

What do you mean by problems? You need to be more specific if you want help with the problem.

 

haku, I think they were supposed to be full stops as the comma key is right next to the full stop key?

 

This touchtypo stuff is harder then it looks. =P 

[justAnoob]

andy, what I'm working on doing is trying to secure some scripts. some people on here say I should do all this stuff, and then i read elsewhere saying I should do other things. i'm confused.

[Andy-H]

sprintf isn't all too effective for protecting your script. Just make sure that you cast user input thats expected to be integer type with (int) and use mysql_real_escape_string on your user inputted strings used for mysql.

 

Then when the data has been fetched by mysql just use stripslashes and htmlEntities on the data before echoing it to the screen.

[Ken2k7]

sprintf doesn't protect or secure anything.

[justAnoob]

Okay, so back to the post I posted earlier where I took out 'sprintf' and then still had a problem with the ',' 

I've looked everywhere, and everyone is saying to use mysql_real_escape_string like this...

 

$var = mysql_real_escape_string($_POST['whatever'])

 

and not at the end of the SQL statement. here is a simple register script that i have. this is what i've seen on examples that people are doing to  protect against hackers.(i know if someone wanted to mess stuff up they will. just looking for some basic protection.)

 

<?php
session_start();
require_once 'connection.php';

// check if username or email is already registered, if so, give error message
$username = mysql_real_escape_string($_POST["username"]);
$sql = "SELECT * FROM members WHERE username = '$username'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
// if username exists, display error
if($count > 0)
{
$_SESSION['dup'] = "This username is already registered. Please try again.";
header("location: http://www.--------.com/registration.php");
exit();
}
// if data is good, register the new member
else
{
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);

    $sql = "INSERT INTO %s (username, password, email)VALUES('$username','$password','$email')";

mysql_query($sql) or die(mysql_error());

unset($_SESSION['dup']);
$_SESSION['goodreg'] = "Thank you for registering. Please log in above.";
sleep(2);
header("location: http://www.------.com/registration.php");
mysql_close();
    exit();
}
?>

[Ken2k7]

<?php
    $sql = "INSERT INTO %s (username, password, email)VALUES('$username','$password','$email')";
   
   mysql_query($sql) or die(mysql_error());

 

You left a %s there. Change it to your table name.

[justAnoob]

oopss, sorry, don't mind that, i forgot to change that back to my table name. but taking a look at the script, if it was yours, what would you do to beef up the security. I'm not looking for anything crazy. just your basic. also, why is my strLen not working correctly. it brings the error if the name is less then 6 or more than 12, but not something with, lets say 8.

 

<?php
session_start();
require_once 'connection.php';

// check if username or email is already registered, if so, give error message
$username = mysql_real_escape_string($_POST["username"]);
$sql = "SELECT * FROM members WHERE username = '$username'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
// if username exists, display error
if($count > 0)
{
$_SESSION['dup'] = "This username is already registered. Please try again.";
header("location: http://www.-----.com/registration.php");
exit();
}
if(strLen($username) < 6 || strLen($username) > 12 )
{
   $_SESSION['length'] =  'Username can only be 6-12 characters in length.';
   header("location: http://www.------.com/registration.php");
   exit();
}
// if data is good, register the new member
else
{
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);

    $sql = "INSERT INTO members (username, password, email)VALUES('$username','$password','$email')";

mysql_query($sql) or die(mysql_error());

unset($_SESSION['dup']);
$_SESSION['goodreg'] = "Thank you for registering. Please log in above.";
sleep(2);
header("location: http://www.-------.com/registration.php");
mysql_close();
    exit();
}
?>

[justAnoob]

i'm sorry,,, the error comes up no matter what length of username they input.

[justAnoob]

i looke on google and it shows examples of something like this. but i still get the same prob. even if i enter a username that is 6 characters long, i get the error that the username is not the correct length.

<?php
if($count > 0)
{
   $_SESSION['dup'] = "This username is already registered. Please try again.";
   header("location: http://www.--------.com/registration.php");
   exit();
}
elseif( strLen($_POST["$username"]) < 6 || strLen($_POST["$username"]) > 12 )
{
   $_SESSION['length'] =  'Username can only be 6-12 characters in length.';
   header("location: http://www.---------.com/registration.php");
   exit();
}
// if data is good, register the new member
else
{
?>

[Ken2k7]

Well, I would not use or die() statement. I would use trigger_error and set_error_handler instead.

[Andy-H]

And change 

$_POST['$username'] // to
$_POST['username']

=p

[justAnoob]

ooppss, i knew that, thanks andy

[justAnoob]

Okay, a couple times it worked. Now it does not. I can enter a username that is 6 or more characters and it still gives me the error that the username is not the correct length.

<?php
session_start();
require_once 'connection.php';

$username = mysql_real_escape_string($_POST["username"]);
$email = mysql_real_escape_string($_POST['email']);

$sql = "SELECT * FROM members WHERE username = '$username' and email = '$email'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);

// if username is currently being used, display error
if($count > 0)
{
unset($_SESSION['length']);
$_SESSION['dup'] = "This username or email is already registered. Please try again.";
header("location: http://www.-------.com/registration.php");
exit();
}
// if username is not correct length, display error
elseif ( strLen($_POST["username"]) < 6 )
{
   unset($_SESSION['dup']);
   $_SESSION['length'] =  'Username must be a minimum of 6 characters in length.';
   header("location: http://www.------.com/registration.php");
   exit();
}

// if data is good, register the new member
else
{
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);

    $sql = "INSERT INTO members (username, password, email)VALUES('$username','$password','$email')";

mysql_query($sql) or trigger_error();

unset($_SESSION['dup']);
$_SESSION['goodreg'] = "Thank you for registering. Please log in above.";
sleep(2);
header("location: http://www.------.com/registration.php");
mysql_close();
    exit();
}
?>

Is there something wrong with the if,elseif,else?