Forms...and WHERE in mysql

Hi guys,
I found this script:
http://hvassing.com/2007/simple-php-login-script-using-sessi on-and-mysql/#comment-31549

but if I try to recall, in a page I created, the variable "username"
that a user fill in the login page, it does not work.
How could I retrieve the "username", in other pages, using sessions?

I think that the answer is in the last 8 lines of code of
"manage-check.php" but I do not know how....

For example if I fill this code in "members-only.php":

---------------------------------------
$db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user','123456') or
die(mysql_error());

mysql_select_db("XXXX",$db);

$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
while ($record = mysql_fetch_row($result)){
echo "id: ".$record[0]."
";
echo "NOME: ".$record[1]."
";
echo "
";
}
---------------------------------------

it does not work!!!
How could I retrieve "username" using "WHERE username="?????????" ???

TNX in advance!

Re: Forms...and WHERE in mysql

On Dec 28, 12:13=A0pm, lukk3tt0 wrote:
> Hi guys,
> I found this script:http://hvassing.com/2007/simple-php-login-script-usin g=
-session-and-my...
>
> but if I try to recall, in a page =A0I created, the variable "username"
> that a user fill in the login page, it does not work.
> How could I retrieve the "username", in other pages, using sessions?

hmmm cannot quite follow, but a common thing (which even I made when
using sessions first time :-|) is to forget to user start_session()
every time. It does not start the sesstion, just gives you access to
it.

> $result=3Dmysql_query("SELECT * FROM members
> WHERE username=3D"$_POST[username]"");

Gee... I have been wondering whether the post can be in there, but
*just in case* I have always used it like this

$result=3Dmysql_query("SELECT * FROM members WHERE username=3D\"".
$_POST["username"]."\"");
or
$result=3Dmysql_query("SELECT * FROM members WHERE username=3D\"".
$_SESSTION["username"]."\"");

say
if(isset($_SESSTION["username"]))
$result=3Dmysql_query("SELECT * FROM members WHERE username=3D\"".
$_SESSTION["username"]."\"");
else
$result=3Dmysql_query("SELECT * FROM members WHERE username=3D\"".
$_POST["username"]."\"");

WBR
Sonnich

Re: Forms...and WHERE in mysql

On Dec 28, 6:13 pm, lukk3tt0 wrote:
> Hi guys,
> I found this script:http://hvassing.com/2007/simple-php-login-script-usin g-session-and-my...
>
> but if I try to recall, in a page I created, the variable "username"
> that a user fill in the login page, it does not work.
> How could I retrieve the "username", in other pages, using sessions?
>
> I think that the answer is in the last 8 lines of code of
> "manage-check.php" but I do not know how....
>
> For example if I fill this code in "members-only.php":
>
> ---------------------------------------
> > $db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user','123456') or
> die(mysql_error());
>
> mysql_select_db("XXXX",$db);
>
> $result=mysql_query("SELECT * FROM members
> WHERE username="$_POST[username]"");
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> while ($record = mysql_fetch_row($result)){
> echo "id: ".$record[0]."
";
> echo "NOME: ".$record[1]."
";
> echo "
";}
>
> ---------------------------------------
>
> it does not work!!!
> How could I retrieve "username" using "WHERE username="?????????" ???
>
> TNX in advance!

The MySQL Select should be like
SELECT `field`, `field` FROM `table` WHERE `field`='value';

you need the '' unless the field is kinda int

Re: Forms...and WHERE in mysql

lukk3tt0 wrote:
> Hi guys,
> I found this script:
> http://hvassing.com/2007/simple-php-login-script-using-sessi on-and-mysql/#comment-31549
>
> but if I try to recall, in a page I created, the variable "username"
> that a user fill in the login page, it does not work.
> How could I retrieve the "username", in other pages, using sessions?
>
> I think that the answer is in the last 8 lines of code of
> "manage-check.php" but I do not know how....
>
> For example if I fill this code in "members-only.php":
>
> ---------------------------------------
> > $db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user','123456') or
> die(mysql_error());
>
> mysql_select_db("XXXX",$db);
>
> $result=mysql_query("SELECT * FROM members
> WHERE username="$_POST[username]"");
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> while ($record = mysql_fetch_row($result)){
> echo "id: ".$record[0]."
";
> echo "NOME: ".$record[1]."
";
> echo "
";
> }
> ---------------------------------------
>
> it does not work!!!
> How could I retrieve "username" using "WHERE username="?????????" ???
>
> TNX in advance!
>

Enable display_errors and see what you get for messages.

Also, please cross-post; do not multi-post!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Forms...and WHERE in mysql

..oO(jodleren)

>Gee... I have been wondering whether the post can be in there, but
>*just in case* I have always used it like this
>
> $result=mysql_query("SELECT * FROM members WHERE username=\"".
>$_POST["username"]."\"");
>or
> $result=mysql_query("SELECT * FROM members WHERE username=\"".
>$_SESSTION["username"]."\"");

Strings in SQL are delimited with single quotes. And you _never_ want to
use a user-submitted value directly in a query without any validation.
Read about SQL injection.

Micha

Re: Forms...and WHERE in mysql

On Dec 28, 2:13 am, lukk3tt0 wrote:
> Hi guys,
> I found this script:http://hvassing.com/2007/simple-php-login-script-usin g-session-and-my...
>
> but if I try to recall, in a page I created, the variable "username"
> that a user fill in the login page, it does not work.
> How could I retrieve the "username", in other pages, using sessions?
>
> I think that the answer is in the last 8 lines of code of
> "manage-check.php" but I do not know how....
>
> For example if I fill this code in "members-only.php":
>
> ---------------------------------------
> > $db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user','123456') or
> die(mysql_error());
>
> mysql_select_db("XXXX",$db);
>
> $result=mysql_query("SELECT * FROM members
> WHERE username="$_POST[username]"");
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> while ($record = mysql_fetch_row($result)){
> echo "id: ".$record[0]."
";
> echo "NOME: ".$record[1]."
";
> echo "
";}
>
> ---------------------------------------
>
> it does not work!!!
> How could I retrieve "username" using "WHERE username="?????????" ???
>
> TNX in advance!




$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");

Your quotes are messed up, doing what sskaje said should fix your
problem.

$result = mysql_query("SELECT * FROM members WHERE username=`
$_POST['username']`");

That should fix your problem.

Re: Forms...and WHERE in mysql

..oO(jpyers@gmail.com)

>$result=mysql_query("SELECT * FROM members
>WHERE username="$_POST[username]"");
>
>Your quotes are messed up, doing what sskaje said should fix your
>problem.
>
>$result = mysql_query("SELECT * FROM members WHERE username=`
>$_POST['username']`");
>
>That should fix your problem.

Nope. It will cause a parse error because of the single-quoted array
index inside of a double-quoted string. Additionally it will cause an
SQL error because a backtick (`) is not a valid string delimiter.

Correct:

$result = mysql_query("
SELECT *
FROM members
WHERE username = '$_POST[username]'
");

or

$result = mysql_query("
SELECT *
FROM members
WHERE username = '{$_POST['username']}'
");

Of course this won't fix the SQL injection problem ...

Micha

Re: Forms...and WHERE in mysql

Michael Fesser wrote:

> Read about SQL injection.

Well, I prefer to laught at it:

http://xkcd.com/327/


--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Now listening to: Lamb - The K&D Sessions? (1998) - [10] Trans Fatty Acid
(K&D Session) (8:31) (97.000000%)

Re: Forms...and WHERE in mysql

On Sat, 29 Dec 2007 01:33:01 +0100, Michael Fesser wrot=
e:

> .oO(jpyers@gmail.com)
>
>> $result=3Dmysql_query("SELECT * FROM members
>> WHERE username=3D"$_POST[username]"");
>>
>> Your quotes are messed up, doing what sskaje said should fix your
>> problem.
>>
>> $result =3D mysql_query("SELECT * FROM members WHERE username=3D`
>> $_POST['username']`");
>>
>> That should fix your problem.
>
> Nope. It will cause a parse error because of the single-quoted array
> index inside of a double-quoted string. Additionally it will cause an
> SQL error because a backtick (`) is not a valid string delimiter.
>
> Correct:
>
> $result =3D mysql_query("
> SELECT *
> FROM members
> WHERE username =3D '$_POST[username]'
> ");

Which will probably give a notice the constant 'username' is not defined=
..

> or
>
> $result =3D mysql_query("
> SELECT *
> FROM members
> WHERE username =3D '{$_POST['username']}'
> ");

That's the one.

> Of course this won't fix the SQL injection problem ...

Very true. And a 'SELECT * ' should never be used in production, only fo=
r =

testing purposes. Naming the fields you should have will both ease the =

load on the server and cause a transparant failure instead of an obscure=
=

one on a table alteration.
-- =

Rik Wasmus

Re: Forms...and WHERE in mysql

..oO(Rik Wasmus)

>On Sat, 29 Dec 2007 01:33:01 +0100, Michael Fesser wrote:
>
>> $result = mysql_query("
>> SELECT *
>> FROM members
>> WHERE username = '$_POST[username]'
>> ");
>
>Which will probably give a notice the constant 'username' is not defined.

Nope, not in this case. Constants are not resolved in a double-quoted
string (unless you use curly syntax like in the second example).
Whether this syntax is recommended or not is another question, though.

Micha