How to display data from database after login

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
User avatar
egami
php-forum GURU
php-forum GURU
Posts: 2192
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Fri Nov 02, 2012 9:27 am

You're not off to a very good start with your PHP scripting, and I'm not trying to be rude.
So, I'll give you my $0.02 worth, and you can take it from there.


First, never take user input as valid data. Ever.

$user = $_POST['user'];

This is very, very bad.

$user = mysql_real_escape_string(strip_tags(trim($_POST['user'])));
$pass = mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

php.net/mysql_real_escape_string == Removes SQL injection from variables
php.net/strip_tags == removes possible tags for injection (html, body, div, etc.)
php.net/trim = remove any white spaces before and after the string.

This eliminates any SQL injection probabilities. VERY IMPORTANT TO REMEMBER.


This..

Code: Select all

if (!$user || !$pwd) {
 echo 'You have not entered search details. Please go back and try again.';
 exit;
 }
 
Is all kinds of wrong. If the $_POST vars exist, but are empty, your variables will exist, but be empty. Thus the literal saying:

if NOT $user OR NOT $pwd

There are two things wrong here.
The first being the variable does exist.
The second you're saying if the user OR the password doesn't exist... throw the error. It really should be both.

So it should be written more like this..

Code: Select all

if ($_POST['user'] != NULL || $_POST['user'] != '') { 
  $user = mysql_real_escape_string(strip_tags(trim($_POST['user'])));
} else { 
  $error[] = "Username cannot be empty.";
}

if ($_POST['pwd'] != NULL || $_POST['pwd'] != '') { 
  $pwd = mysql_real_escape_string(strip_tags(trim($_POST['pwd'])));
  // However, you should *NEVER* store passwords in clear text. 
  // $pwd = md5(mysql_real_escape_string(strip_tags(trim($_POST['pwd']))));
} else { 
  $error[] = "Password cannot be empty or blank.";
}

if (!isset($error)) { 
  do..the...rest...
}
 

But really, now that's out of the way..
Your SQL problem is this..


$query = "select * from newsignup where ".$user." like '%".$pwd."%'";
This means..
SELECT EVERYTHING FROM newsignup WHERE whatever-user-name-was-put-in-the-form LOOKS LIKE whatever-password-was-put-in-the-form. (But even then, the syntax is all kinds of wrong.)

It should probably look a bit more like..

$query = "SELECT * FROM newsignup WHERE user = '$user' AND pwd = '$pwd'";
This means..
SELECT EVERYTHING FROM newsignup WHERE the field 'user' is exactly what-ever-username-was-entered AND the pwd field is exactly what-ever-password-was-entered-by-the-user.

This is a correctly formatted SQL query. And it's also the query you SHOULD be using as it is looking for exact matches, and not "any-thing-like". Searching for LIKE in a username/pass combo is a bad idea.

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Fri Nov 02, 2012 2:22 pm

You can also use helper functions to consolidate some of your code too. for example

Code: Select all

<?php
function clean($s)
{
	return mysql_real_escape_string(strip_tags(trim($s)));
}

Then you can just do

Code: Select all

$user = clean($_POST['user']);

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 1 guest