Jump to content

I can't get the new username and password to enter correctly for an application I'm creating


Recommended Posts

When I try to setup a contact form application I'm working on, it doesn't work. I'm using "root" as the username and password. This is what I get for the username and password entires in the database:

 

PHP is 5.4.4 and MySQL is 5.5.25

 

Username: {mysql_real_escape_string(root

 

Password: {mysql_real_escape_string(root

 

This is the code I'm using:

 

Install.php

 

<html>
<head>
<title>
Install contact form
</title>


</head>
<body>


<form action="install-script.php" method="post">
<fieldset>
<label for="new_admin_username">Username of administrator account:</label>
<input type="text" name="new_admin_username" size="40" class="required"/>
<br>
<label for="new_admin_password">Password:</label>
<input type="text" name="new_admin_password" size="40" class="required"/>
<br><!--
<label for="new_admin_confirm_password">Confirm password:</label>
<input type="password" name="new_admin_confirm_password" size="40" class="required"/>
<br> -->
</fieldset>
<fieldset align="center">
<input type="submit" value="Install"/>
</fieldset>
</form>


</body>
</html>

 

install-script.php

 

<?php


require 'dbconnect.php';


// Get user account information from installation form


$new_admin_username = trim($_REQUEST['new_admin_username']);
$new_admin_password = trim($_REQUEST['new_admin_password']);


// Create the user table


$create_user_table = "
CREATE TABLE /*$dbprefix*/users (
user_id int AUTO_INCREMENT PRIMARY KEY,
username varchar(30) NOT NULL,
password varchar(30) NOT NULL
);
";


mysql_query($create_user_table)
or die(mysql_error());


// Create table for storing messages


$create_message_table = "
CREATE TABLE /*$dbprefix*/messages (
message_id int AUTO_INCREMENT PRIMARY KEY,
sender_name varchar(50) NOT NULL,
sender_email varchar(50) NOT NULL,
sender_message varchar(2000) NOT NULL
);
";


mysql_query($create_message_table)
or die(mysql_error());


// Create user account


$new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)".
"VALUES ('{mysql_real_escape_string($new_admin_username)}',".
"'{mysql_real_escape_string($new_admin_password)}');";


mysql_query($new_admin_create_account)
or die(mysql_error());


?>

Edited by Inquisitor_Ehrenstein

You can't put a function within a string like that. As you should be able to deduce from your bad data.

 

Ok, thanks. The book I have showed an example like that. How do I make user input secure, since it needs to have an escape like that?

 

EDIT

 

I just tried this:

 

// Create user account


$new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)".
           "VALUES ({mysql_real_escape_string('$new_admin_username')},".
                   "{mysql_real_escape_string('$new_admin_password')});";


mysql_query($new_admin_create_account)
 or die(mysql_error());

 

The username and password are "root" as they should be. Will this code escape the SQL code that's being input?

Edited by Inquisitor_Ehrenstein

You can't use functions inside a string.

So where CAN you use them?

 

It looks like the string is coming after the function.

 

EDIT

 

It looks like now the string is inside the function.

Edited by Inquisitor_Ehrenstein

She's talking about the PHP string (not the mySQL string value)

 

This statement:

$new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)".
"VALUES ('{mysql_real_escape_string($new_admin_username)}',".
"'{mysql_real_escape_string($new_admin_password)}');";

is building a string. This part "VALUES ('{mysql_real_escape_string($new_admin_username)}',"

is a string (literal). While you can use variables inside a (double-quoted) string, you can not use a function inside a string.

 

You have to break the string assignment up and concatenate the function's return value.

 

$new_admin_create_account = "INSERT INTO users (username, password)" .
   "VALUES ('" . mysql_real_escape_string($new_admin_username) . "'," .
   "'" . mysql_real_escape_string($new_admin_password) . "');";

You cannot put mysql_real_escape_string INSIDE OF ANOTHER STRING.

 

If you do echo "strlen($str)"; you will not get the strlen of $str. Move your function OUT OF THE STRING.

Ok, I see how it works. In

" . mysql_real_escape_string($new_admin_username) . "

, ". and ." are separating

mysql_real_escape_string($new_admin_username)

out of the string.

Edited by Inquisitor_Ehrenstein
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.