for working with a DB, you’ll find something in the Manual’s
PDO or
MySQLi sections (note that the old mysql_* functions are deprecated).
your other problem—SQL Injection—there Google will provide a plethora of explanations.
depending of your exact version of PHP 5, you can make advantage of password hashing functions like
password_hash(). generally, passwords should never be stored in plain text (a matter of security), therefore you should hash them.
since
register_globals is now removed from PHP (another security matter), you fetch your user-supplied data from one of the
superglobals (depending on your transfer method that would primarily be $_GET and $_POST).
short tags should not be used anyways, typing those three extra letters (i.e.
<?php instead of
<?) does not have any effect on performance.
the SQL query itself. since you only want to know, if there is a match or not, return the number of matches via SQL’s
COUNT() function (PS. fetching data is more reliable that counting result rows). besides that, in SQL never request data you don’t need. therefore the SQL wildcard
* is a no-go.
a sensible login query looks like
- SELECT COUNT(*) FROM mytable WHERE username = ? AND password_hash = ?;
tip: "connection" is a poor name for a table that stores user data (and not connections)
tip: make sure to set indexes on the DB table. makes the queries much faster
note:
.php3 is a bad choice for a PHP 5 file extension. just the generic
.php suffices.
javascript
: event handlers should be defined inside JavaScript. doing that inside HTML makes it more complicated to read and maintain, and cuts down on possibilities.
e.g.
- document.forms[0].addEventListener("submit", verifyChamp);
-
-
function verifyChamp(evt)
-
{
-
// note: the form element is in the variable 'this'
-
-
// do validation
-
-
// cancel submission if something is wrong
-
if (!valid) {
-
evt.preventDefault();
-
}
-
}
3
