RopeADope Posted June 18, 2010 Share Posted June 18, 2010 Hi all. Just wanted to post this snippet to make sure I wrote it correctly. My intent is that upon clicking "Enter" on the home page, the login request will get sent to this snippet, escape the dangerous characters, then validate according to the result returned from the users table. <?php include('connect.php'); $usr=mysql_real_escape_string($_POST['usr']); $pwd=mysql_real_escape_string($_POST['pwd']); $sql="SELECT FROM users WHERE username='$usr' AND password='$pwd'"; $query=mysql_query($sql); $num=mysql_num_rows($query); if($num!=1){ header('Location: index.php'); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/ Share on other sites More sharing options...
RopeADope Posted June 18, 2010 Author Share Posted June 18, 2010 So I've figured out that for some reason, the mysql_real_escape_string() is causing problems. When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value. Anybody know why this might be? Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/#findComment-1073948 Share on other sites More sharing options...
Maq Posted June 18, 2010 Share Posted June 18, 2010 When I put my $_POST variables in the function What function? Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/#findComment-1073998 Share on other sites More sharing options...
kratsg Posted June 18, 2010 Share Posted June 18, 2010 You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted). So I've figured out that for some reason, the mysql_real_escape_string() is causing problems. When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value. Anybody know why this might be? Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/#findComment-1074001 Share on other sites More sharing options...
RopeADope Posted June 18, 2010 Author Share Posted June 18, 2010 You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted). So I've figured out that for some reason, the mysql_real_escape_string() is causing problems. When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value. Anybody know why this might be? I did that. As a test, I commented out the mysql_real_escape lines and just echoed the $_POST variables and they showed up. It seems like something happens when they mysql_real_escape lines are executed because if I try to echo the $usr and $pwd variables, nothing shows up, but the $_POST variables will. Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/#findComment-1074017 Share on other sites More sharing options...
Maq Posted June 18, 2010 Share Posted June 18, 2010 You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted). So I've figured out that for some reason, the mysql_real_escape_string() is causing problems. When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value. Anybody know why this might be? I did that. As a test, I commented out the mysql_real_escape lines and just echoed the $_POST variables and they showed up. It seems like something happens when they mysql_real_escape lines are executed because if I try to echo the $usr and $pwd variables, nothing shows up, but the $_POST variables will. That's impossible unless your strings are made up of newlines, carriage returns and quotes... mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. Please do this and reply with the output: echo "BEFORE"; echo "usr: " . $_POST['usr']; echo "pwd: " . $_POST['pwd']; $usr=mysql_real_escape_string($_POST['usr']); $pwd=mysql_real_escape_string($_POST['pwd']); echo "AFTER"; echo "usr: " . $usr; echo "pwd: " . $pwd; Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/#findComment-1074019 Share on other sites More sharing options...
Pikachu2000 Posted June 18, 2010 Share Posted June 18, 2010 You shouldn't be using mysql_real_escape_string() for the password field at all. It should be stored in the DB as a hash value, and compared to the hash value of the submitted password. Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/#findComment-1074024 Share on other sites More sharing options...
RopeADope Posted June 25, 2010 Author Share Posted June 25, 2010 You shouldn't be using mysql_real_escape_string() for the password field at all. It should be stored in the DB as a hash value, and compared to the hash value of the submitted password. Sorry for the long delay. Decided to take some time off. So idk why I didn't realize it earlier but you're right, I shouldn't be using mysql_real_escape_string(). My goal is to basically protect against injection as this project will eventually be hosted online. With that said, what's the best method to prevent against said injection? I assume the best way would be to clean the data of any dangerous characters before comparing it with database values, correct? Quote Link to comment https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/#findComment-1077132 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.