Jump to content

Recommended Posts

Hi all.

 

Just wanted to post this snippet to make sure I wrote it correctly.  My intent is that upon clicking "Enter" on the home page, the login request will get sent to this snippet, escape the dangerous characters, then validate according to the result returned from the users table.

<?php
include('connect.php');

$usr=mysql_real_escape_string($_POST['usr']);
$pwd=mysql_real_escape_string($_POST['pwd']);

$sql="SELECT FROM users WHERE username='$usr' AND password='$pwd'";
$query=mysql_query($sql);
$num=mysql_num_rows($query);

if($num!=1){
   header('Location: index.php');
}

?>

 

Link to comment
https://forums.phpfreaks.com/topic/205168-simple-login-safety-check/
Share on other sites

You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted).

 

So I've figured out that for some reason, the mysql_real_escape_string() is causing problems.  When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value.  Anybody know why this might be?

You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted).

 

So I've figured out that for some reason, the mysql_real_escape_string() is causing problems.  When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value.  Anybody know why this might be?

 

I did that.  As a test, I commented out the mysql_real_escape lines and just echoed the $_POST variables and they showed up.  It seems like something happens when they mysql_real_escape lines are executed because if I try to echo the $usr and $pwd variables, nothing shows up, but the $_POST variables will.

You need to make sure that the $_POST variables exist first before doing anything with them (IE: checking if the form was submitted).

 

So I've figured out that for some reason, the mysql_real_escape_string() is causing problems.  When I put my $_POST variables in the function, the variables $usr and $pwd wind up having no value.  Anybody know why this might be?

 

I did that.  As a test, I commented out the mysql_real_escape lines and just echoed the $_POST variables and they showed up.  It seems like something happens when they mysql_real_escape lines are executed because if I try to echo the $usr and $pwd variables, nothing shows up, but the $_POST variables will.

 

That's impossible unless your strings are made up of newlines, carriage returns and quotes...

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

Please do this and reply with the output:

 

echo "BEFORE";
echo "usr: " . $_POST['usr'];
echo "pwd: " . $_POST['pwd'];
$usr=mysql_real_escape_string($_POST['usr']);
$pwd=mysql_real_escape_string($_POST['pwd']);
echo "AFTER";
echo "usr: " . $usr;
echo "pwd: " . $pwd;

 

You shouldn't be using mysql_real_escape_string() for the password field at all. It should be stored in the DB as a hash value, and compared to the hash value of the submitted password.

 

Sorry for the long delay.  Decided to take some time off.  So idk why I didn't realize it earlier but you're right, I shouldn't be using mysql_real_escape_string().  My goal is to basically protect against injection as this project will eventually be hosted online.  With that said, what's the best method to prevent against said injection?  I assume the best way would be to clean the data of any dangerous characters before comparing it with database values, correct?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.