From: Karl DeSaulniers on
Yes. You are correct. Did not include that part, sry.
Dont forget mysql_real_escape_string.
:)

Karl


On Apr 29, 2010, at 9:37 AM, Peter Lind wrote:

> On 29 April 2010 15:00, Karl DeSaulniers <karl(a)designdrumm.com> wrote:
>> Hi,
>> Maybe try...
>>
>> $benutzername = $_GET['username'];
>> $pass = $_GET['password'];
>>
>> $result = "SELECT * FROM usertable WHERE
>> sqlbenutzername='$benutzername'";
>
> Don't use values from $_GET without sanitizing first. If using mysql_*
> functions, sanitize with mysql_real_escape_string() first.
>
>> while($r = mysql_fetch_row($result)) {
>> $dbbenutzer = $r["sqlbenutzername"];
>> $dbpasswort = $r["sqlpasswort"];
>> }
>> if($benutzername == $dbbenutzer && $pass == $dbpasswort){
>
> This would work but only if you're storing passwords in the database
> in clear text - which is a Bad Thing and should be avoided. Hash the
> passwords before storing and compare with a hashed version, not the
> cleartext.
>
> Regards
> Peter
>
> --
> <hype>
> WWW: http://plphp.dk / http://plind.dk
> LinkedIn: http://www.linkedin.com/in/plind
> Flickr: http://www.flickr.com/photos/fake51
> BeWelcome: Fake51
> Couchsurfing: Fake51
> </hype>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Karl DeSaulniers
Design Drumm
http://designdrumm.com