Mssql Addslashes on login script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
snicolas
Forum Commoner
Posts: 97
Joined: Tue Nov 09, 2004 8:32 am

Mssql Addslashes on login script

Post by snicolas »

Hi All,

Really need some help on that one:
I am running php + mssql + apache on windows xp.
Everyhting works fine apart from this..

I have users and password in mssql table.
Username or password can contain weird character as ' (single quote), ";" etc etc...

When trying to check if username is valid or not I am in trouble.
I tried to use the:
$newpostedusername=addslashes($_POST["username"]);
But this is not working in mssql

I also tried
$newpostedusername = str_replace("'", "''", $newpostedusername);
$newpostedusername = str_replace('"', "'+String.fromCharCode(34)+'", $newpostedusername);

but get an erro message as:
mssql_query(): message: Unclosed quotation mark before the character string 'USERNAME\'''. (severity 15) .

A current user name is sc' ..
How can i check this??
PLEASE HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

stef
swdev
Forum Commoner
Posts: 59
Joined: Mon Oct 25, 2004 8:04 am

Post by swdev »

I don't use mmsql. However, echo out the SQL statement before you send it ot the database and see what it says. It sounds like there is an error before it gets to the USERNAME variable.

If that doesn't help, post your code and I'll see if I can help
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

mike at gyrate dot org wrote: please note that addslashes will NOT work with mssql, since mssql does not use the backslash character as an escape mechanism. just double your quotes instead. or use this:

Code: Select all

function mssql_addslashes($data) {
   $data = str_replace("'", "''", $data);
   return $data;
}
snicolas
Forum Commoner
Posts: 97
Joined: Tue Nov 09, 2004 8:32 am

Post by snicolas »

Hey,

Susing Myke's example, the query runs properly.
Howver the user does not get access (not recognized)

I have a user in db with:
user:sc'
pass:sc'

The code used is:
$newpostedusername=$_POST["username"];
$newpostedusername = str_replace("'", "''", $newpostedusername);

blah blah slect...
The query returned is:
Query String = SELECT password from login where password='sc'''' and username='sc'''' .

As said above, this runs well but apprently the code is looking for a user called sc'' and not sc'.

stef
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

what does

Code: Select all

echo 'Magic quotes: '.(ini_get('magic_quotes_gpc') == '' ? 'Off' : 'On')."\n";
yield?
snicolas
Forum Commoner
Posts: 97
Joined: Tue Nov 09, 2004 8:32 am

Post by snicolas »

I don't want to use magic quotes, as the site will be installed on a customer site with no knowledge on how to edit the php.ini.
But if you have a solution using Magic quote I am happy to see if i can manage it.

Thanks

S.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

when I ask a question I have a reason to do so. I didn't propose you to use magic quotes, I asked if you have them turned on or off. In general, portable code should look like this:

Code: Select all

//......
$newpostedusername = $_POST['username']; 
$newpostedpassword = $_POST['password']; 

if( get_magic_quotes_gpc() ) {
  $newpostedusername = stripslashes($newpostedusername);
  $newpostedpassword = stripslashes($newpostedpassword);
}

function mssql_escape($data) {
   return str_replace("'", "''", $data);
}
//......
$query = "SELECT 
                      password 
                from 
                      login 
               where 
                      password = '" . mssql_escape($newpostedpassword) . "' 
                      and username='" . mssql_escape($newpostedpassword) . "'";
snicolas
Forum Commoner
Posts: 97
Joined: Tue Nov 09, 2004 8:32 am

Post by snicolas »

Weirdan.

That worked perfectly.
You're the boss....
Thank you

Stef.
Post Reply