[thelist] PHP/MySQL help required

Anthony Baratta Anthony at Baratta.com
Sat Feb 2 20:05:00 CST 2002


At 05:58 PM 2/2/2002, Dave Stevens wrote:

>$sql = "SELECT * FROM customers WHERE username=$username";
>
>         $result = mysql_query($sql);

Why not embed the password check into the SQL??

SELECT * FROM customers WHERE username=$username AND password=$password

The check the $result returned. If you have data, then the password and
user name matched.

Also you need to "escape" the data being passed from the user's form, so
that you can limit the "bad guys" from mucking with your server. The Perl
DBI has a autoquoting function, PHP should have the same thing there some
where.

---
Anthony Baratta
President
Keyboard Jockeys

"Conformity is the refuge of the unimaginative."




More information about the thelist mailing list