Prev: php mysql comparing two rows in two columns for username and passwort
Next: grabbing from multiple tables
From: Karl DeSaulniers on 29 Apr 2010 10:44 Yes. You are correct. Did not include that part, sry. Dont forget mysql_real_escape_string. :) Karl On Apr 29, 2010, at 9:37 AM, Peter Lind wrote: > On 29 April 2010 15:00, Karl DeSaulniers <karl(a)designdrumm.com> wrote: >> Hi, >> Maybe try... >> >> $benutzername = $_GET['username']; >> $pass = $_GET['password']; >> >> $result = "SELECT * FROM usertable WHERE >> sqlbenutzername='$benutzername'"; > > Don't use values from $_GET without sanitizing first. If using mysql_* > functions, sanitize with mysql_real_escape_string() first. > >> while($r = mysql_fetch_row($result)) { >> $dbbenutzer = $r["sqlbenutzername"]; >> $dbpasswort = $r["sqlpasswort"]; >> } >> if($benutzername == $dbbenutzer && $pass == $dbpasswort){ > > This would work but only if you're storing passwords in the database > in clear text - which is a Bad Thing and should be avoided. Hash the > passwords before storing and compare with a hashed version, not the > cleartext. > > Regards > Peter > > -- > <hype> > WWW: http://plphp.dk / http://plind.dk > LinkedIn: http://www.linkedin.com/in/plind > Flickr: http://www.flickr.com/photos/fake51 > BeWelcome: Fake51 > Couchsurfing: Fake51 > </hype> > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Karl DeSaulniers Design Drumm http://designdrumm.com |