Jump to content

Simple login, safety check

RopeADope

By RopeADope
in PHP Coding Help

 Share

Recommended Posts

RopeADope Member

RopeADope

Posted
Posted

Hi all.

 

Just wanted to post this snippet to make sure I wrote it correctly.  My intent is that upon clicking "Enter" on the home page, the login request will get sent to this snippet, escape the dangerous characters, then validate according to the result returned from the users table.

<?php
include('connect.php');

$usr=mysql_real_escape_string($_POST['usr']);
$pwd=mysql_real_escape_string($_POST['pwd']);

$sql="SELECT FROM users WHERE username='$usr' AND password='$pwd'";
$query=mysql_query($sql);
$num=mysql_num_rows($query);

if($num!=1){
   header('Location: index.php');
}

?>

 

Link to comment
Share on other sites
kratsg Regular Member

kratsg

Posted
Posted

You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted).

 

So I've figured out that for some reason, the mysql_real_escape_string() is causing problems.  When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value.  Anybody know why this might be?

Link to comment
Share on other sites
RopeADope Member

RopeADope

Posted
  • Author
Posted

You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted).

 

So I've figured out that for some reason, the mysql_real_escape_string() is causing problems.  When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value.  Anybody know why this might be?

 

I did that.  As a test, I commented out the mysql_real_escape lines and just echoed the $_POST variables and they showed up.  It seems like something happens when they mysql_real_escape lines are executed because if I try to echo the $usr and $pwd variables, nothing shows up, but the $_POST variables will.

Link to comment
Share on other sites
Maq Prolific Member

Maq

Posted
Posted

You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted).

 

So I've figured out that for some reason, the mysql_real_escape_string() is causing problems.  When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value.  Anybody know why this might be?

 

I did that.  As a test, I commented out the mysql_real_escape lines and just echoed the $_POST variables and they showed up.  It seems like something happens when they mysql_real_escape lines are executed because if I try to echo the $usr and $pwd variables, nothing shows up, but the $_POST variables will.

 

That's impossible unless your strings are made up of newlines, carriage returns and quotes...

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

Please do this and reply with the output:

 

echo "BEFORE";
echo "usr: " . $_POST['usr'];
echo "pwd: " . $_POST['pwd'];
$usr=mysql_real_escape_string($_POST['usr']);
$pwd=mysql_real_escape_string($_POST['pwd']);
echo "AFTER";
echo "usr: " . $usr;
echo "pwd: " . $pwd;

 

Link to comment
Share on other sites
RopeADope Member

RopeADope

Posted
  • Author
Posted

You shouldn't be using mysql_real_escape_string() for the password field at all. It should be stored in the DB as a hash value, and compared to the hash value of the submitted password.

 

Sorry for the long delay.  Decided to take some time off.  So idk why I didn't realize it earlier but you're right, I shouldn't be using mysql_real_escape_string().  My goal is to basically protect against injection as this project will eventually be hosted online.  With that said, what's the best method to prevent against said injection?  I assume the best way would be to clean the data of any dangerous characters before comparing it with database values, correct?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.