ok I am going to make an admin center for my script. The admin password is going to be stored in a mySQL database. I’m going to get the password and check if its the same as the one enterted. The thing is I want to know if there is some special security feature I should use.
@NogDogNov 28.2005 — #If you want to use the MySQL password function, it's pretty straight-forward. When you create/modify the user's password, you store it in the database: [code=php] # assume $user and $password have the user name and password values $query = "INSERT INTO users SET name = '$user', password = PASSWORD($password)"; $result = mysql_query($query) or die(mysql_error()); if(mysql_affected_rows($result) == 1) { # added row successfully } [/code] When checking the password: [code=php] $query = "SELECT * FROM users WHERE user = '$user' AND password = PASSWORD('$password')"; $result = mysql_query($query) or die(mysql_error()); if(mysql_num_rows($result) == 1) { # found exactly one match so we're good to go } [/code]
@acemoNov 28.2005 — #the following code gives me this error:
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'user' = '' AND 'password' = PASSWORD('')' at lin
[code=php] $query = "SELECT * FROM 'users' WHERE 'user' = '$user' AND 'password' = PASSWORD('$password')"; $result = mysql_query($query) or die(mysql_error()); if(mysql_num_rows($result) == 1){ [/code]
I dont know what mysql version my host is using.
Is there any command for checking the mysql version?
Did i do something wrong in this code?
Or someone kno a query that works wif all versions of mysql?
@NogDogNov 28.2005 — #It would appear that $user and $password are not set (thus the empty quotes inside the relevant places in the query. Either change those variables to whatever you are using in your login script to store the login name and password input by the user, or change the variable names you use to store them.
the script: [code=php] if(isset($_POST['submit'])) { $user = $_POST['username']; $password = $_POST['password']; $query = "SELECT * FROM 'users' WHERE 'user' = '$user' AND 'password' = PASSWORD('$password')"; $result = mysql_query($query) or die(mysql_error()); if(mysql_num_rows($result) == 1){ $_SESSION['logged'] = TRUE; if(isset($_SESSION['caller'])) # if we got here from another page, go there { header("Location: " . $_SESSION['caller']); exit; } else # otherwise go to main page { header("Location: index.php"); exit; } } else # invalid login, so create error message { $error = "<p id='error'>ERROR: Invalid user name and/or password.</p>"; } } [/code]
the error: <i> </i>You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'user' = 'acemo' AND 'password' = PASSWORD('passw
@NogDogNov 28.2005 — #Use backwards quotes (or sometimes called back-ticks) around column and table names, not regular quotes: [code=php] $query = "SELECT * FROM users WHERE user = '$user' AND password = PASSWORD('$password')"; [/code] (You probably only need the back-ticks around the password column name, as it is a reserverd word. But using it on all the table/column names doesn't hurt.)
@SheldonNov 28.2005 — #Well you are trying to select a username from your database so you have to have a feild called "user" in the database, else you will just be selecting distinct passwords
[code=php]$query = "SELECT * FROM users WHERE password = PASSWORD('$password')";[/code]
but that will mean on your register script you would have to check that the password does not already exsist before you add it.
Then that means you can take hte username feild off your form
[b]But the best idea is to add a username feild to your database![/b]