[thelist] PHP/MySQL help required
Anthony Baratta
Anthony at Baratta.com
Sat Feb 2 20:05:00 CST 2002
At 05:58 PM 2/2/2002, Dave Stevens wrote:
>$sql = "SELECT * FROM customers WHERE username=$username";
>
> $result = mysql_query($sql);
Why not embed the password check into the SQL??
SELECT * FROM customers WHERE username=$username AND password=$password
The check the $result returned. If you have data, then the password and
user name matched.
Also you need to "escape" the data being passed from the user's form, so
that you can limit the "bad guys" from mucking with your server. The Perl
DBI has a autoquoting function, PHP should have the same thing there some
where.
---
Anthony Baratta
President
Keyboard Jockeys
"Conformity is the refuge of the unimaginative."
More information about the thelist
mailing list