bobleny Posted February 19, 2007 Share Posted February 19, 2007 This script is supposed to verify the username entered by the user before logging them in. The problem is that even though the entered username matches the username in the database, the script denies it. Could some one please help me? <?php $sql = "SELECT * FROM `users` WHERE `name` = '{$_POST['username']}'"; $query = mysql_query($sql); if(!$query) { $_SESSION['error_message'] = mysql_error(); $_SESSION['error_location'] = "Page: " . $page . " - Line: 249"; mysql_close(); sendem(error, .1); die(); } $get = mysql_fetch_assoc($query); if (!$get) { mysql_close(); $_SESSION['wrong_username'] = TRUE; $_SESSION['user_logged_code_5223'] = FALSE; sendem(login, .1); } else { $_SESSION['level'] = $get['level']; $rawpassword = $get['password']; $rawusername = $get['username']; mysql_close(); } ?> God, I wish I could fix these things my self.... :'( Thanks for any help! Link to comment https://forums.phpfreaks.com/topic/39115-have-trouble-with-an-awkward-login-script/ Share on other sites More sharing options...
btherl Posted February 19, 2007 Share Posted February 19, 2007 Ooh, that is very dangerous. That allows an injection attack on your database, and it also may corrupt usernames with special characters. Try this: $username_esc = mysql_real_escape_string(urldecode($_POST['username'])); $sql = "SELECT * FROM `users` WHERE `name` = '$username_esc'"; Also, try echoing out $sql to verify that it looks how you expect it to look. Maybe with a chance to see the query you will notice something. Edit: A question.. do you connect to the database before this script is run? Link to comment https://forums.phpfreaks.com/topic/39115-have-trouble-with-an-awkward-login-script/#findComment-188423 Share on other sites More sharing options...
bobleny Posted February 19, 2007 Author Share Posted February 19, 2007 Lol, of course I connect before I run that script.... I must thank you for pointing out the mysql injection thing to me. I unfortuentlly don't know much about MySQL and am unable to see things like that... I've looked up mysql injection online before, but never understand what is going on... I have a question too.... What is this, and what does it do? mysql_real_escape_string(urldecode($_POST['username'])); I guess that was actually 2 questions... Thanks! Link to comment https://forums.phpfreaks.com/topic/39115-have-trouble-with-an-awkward-login-script/#findComment-188739 Share on other sites More sharing options...
bobleny Posted February 19, 2007 Author Share Posted February 19, 2007 I looked up mysql_real_escape_string() in the php manual. From my understanding, well, it is clear that is prevents mysql injection... I don't quite understand it.... I also looked up the urldecode() and that flew right past me as well... Link to comment https://forums.phpfreaks.com/topic/39115-have-trouble-with-an-awkward-login-script/#findComment-188845 Share on other sites More sharing options...
bobleny Posted February 20, 2007 Author Share Posted February 20, 2007 God! No wonder I haven't had any replys.... I never asked a question! I ment to ask in my last post If some one could explain what the mysql_real_escape_string() does, and what the urldecode() does. So, Could someone help? Link to comment https://forums.phpfreaks.com/topic/39115-have-trouble-with-an-awkward-login-script/#findComment-189511 Share on other sites More sharing options...
fenway Posted February 20, 2007 Share Posted February 20, 2007 It just ensure that any special characters are properly escaped and treated as string literals... as for url decoding, it's simply a matter of "un-doing" the encoding which guarantees a valid format for URLs with special characters (like spaces). Link to comment https://forums.phpfreaks.com/topic/39115-have-trouble-with-an-awkward-login-script/#findComment-189564 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.