How to use Password() in PHP? Syntax problem?

#1 September 8th, 2008, 03:55 PM

Hello again.
I have tried to use password() in my login-script but it did not work.

My code is:

$sql = "SELECT * FROM users";
$sql .= " WHERE username ='" .
mysql_real_escape_string($_POST['username']) . "' ";
$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";

What is wrong in this?
And how should I write it?

Thanks for all help!

Karl

#2 September 8th, 2008, 04:05 PM

On Mon, 08 Sep 2008 07:46:10 -0700, karlarneg wrote:

Quote:

I have tried to use password() in my login-script but it did not work.

Why did it not work? Did you get an error message? What have you tried?

Quote:

$sql = "SELECT * FROM users";
$sql .= " WHERE username ='" .
mysql_real_escape_string($_POST['username']) . "' "; $sql .= " AND pwd =
(PASSWORD( ' " . $_POST['pwd'] . " ' )) ";

Maybe it is the spaces within the '' which are the problem.

#3 September 8th, 2008, 04:25 PM

karlarneg@gmail.com wrote:

Quote:

Hello again.
I have tried to use password() in my login-script but it did not work.
>
My code is:
>
$sql = "SELECT * FROM users";
$sql .= " WHERE username ='" .
mysql_real_escape_string($_POST['username']) . "' ";
$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";
>
What is wrong in this?
And how should I write it?
>
Thanks for all help!
>
Karl
>

Karl,

A bigger question is - why are you storing web users in the MySQL user
table? That should be only for MySQL users - and your website users
should never have MySQL user id's.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

#4 September 8th, 2008, 05:55 PM

Jensen Somers wrote:

Quote:

Jerry Stuckle wrote:

Quote:

>karlarneg@gmail.com wrote:

Quote:

>>Hello again.
>>I have tried to use password() in my login-script but it did not work.
>>>
>>My code is:
>>>
>>$sql = "SELECT * FROM users";
>>$sql .= " WHERE username ='" .
>>mysql_real_escape_string($_POST['username']) . "' ";
>>$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";
>>>
>>What is wrong in this?
>>And how should I write it?
>>>
>>Thanks for all help!
>>>
>>Karl
>>>

>Karl,
>>
>A bigger question is - why are you storing web users in the MySQL user
>table? That should be only for MySQL users - and your website users
>should never have MySQL user id's.
>>
>>
>>

>
Who said he is using the MySQL users table? It's not because his users
table is also called users he is mixing it with the MySQL users table.
>

Yes, that's true. However, additionally, if he would have asked in the
correct newsgroup (PASSWORD is not a PHP function), he would have found
he shouldn't be using PASSWORD for encrypting user passwords.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

#5 September 8th, 2008, 07:35 PM

On 8 Sep, 18:46, Jerry Stuckle <jstuck...@attglobal.netwrote:

Quote:

Jensen Somers wrote:

Quote:

Jerry Stuckle wrote:

Quote:

karlar...@gmail.com wrote:
>Hello again.
>I have tried to use password() in my login-script but it did not work..

>

Quote:

>My code is:

>

Quote:

>$sql = "SELECT * FROM users";
>$sql .= " WHERE username ='" .
>mysql_real_escape_string($_POST['username']) . "' ";
>$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";

>

Quote:

>What is wrong in this?
>And how should I write it?

>

Quote:

>Thanks for all help!

>

Quote:

>Karl

>

Quote:

Karl,

>

Quote:

A bigger question is - why are you storing web users in the MySQL user
table? *That should be only for MySQL users - and your website users
should never have MySQL user id's.

>

Quote:

Who said he is using the MySQL users table? It's not because his users
table is also called users he is mixing it with the MySQL users table.

>
Yes, that's true. *However, additionally, if he would have asked in the
correct newsgroup (PASSWORD is not a PHP function), he would have found
he shouldn't be using PASSWORD for encrypting user passwords.
>

I use md5 and sha1 instead of password(); Now I have the result I was
looking for:)

Now I have to find out how I can do the input sensitive!
I have to control that uppercase and lowercase are exactly written
into the field as it is stored in the database!

Thanks for all help and advice!

Karl

#6 September 8th, 2008, 09:45 PM

..oO(karlarneg@gmail.com)

Quote:

>I have tried to use password() in my login-script but it did not work.
>
>My code is:
>
>$sql = "SELECT * FROM users";
>$sql .= " WHERE username ='" .
>mysql_real_escape_string($_POST['username']) . "' ";
>$sql .= " AND pwd = (PASSWORD( ' " . $_POST['pwd'] . " ' )) ";

The $_POST['pwd'] variable has to be escaped as well! You should also
consider using sprintf() or prepared statements to create the query,
e.g.

$sql = "
SELECT ... -- you should explicitly list the columns to retrieve
FROM users
WHERE username = '%s'
AND pwd = PASSWORD('%s')
";
$query = sprintf($sql,
mysql_real_escape_string($_POST['username']),
mysql_real_escape_string($_POST['pwd'])
);

Micha

How to use Password() in PHP? Syntax problem?

re: How to use Password() in PHP? Syntax problem?

re: How to use Password() in PHP? Syntax problem?

re: How to use Password() in PHP? Syntax problem?

re: How to use Password() in PHP? Syntax problem?

re: How to use Password() in PHP? Syntax problem?

/bytes/development

/bytes/it

/bytes/about