Page 1 of 1

How to Assign a variable using a select statement

Posted: Tue Nov 04, 2008 9:27 am
by oscardog
Well, i current have this:

Code: Select all

$query = "SELECT * FROM members WHERE password = '$password'";
$result1 = mysql_query($query) or die("Can't execute insert query: " . mysql_error());
$row = mysql_fetch_array($result1);
$passwordcheck = $row['password'];
But it doesnt assign the value, it is left blank when i test it using an echo.

I know its CLOSE to being right, or im pretty sure its close. Anyone?

Thanks

Re: How to Assign a variable using a select statement

Posted: Tue Nov 04, 2008 9:47 am
by Jaxolotl
First of all, be careful because your code is far far insecure. Make a search of sqlIngjection
Then take a look @ http://www.php.net/mysql_real_escape_string mysql_real_escape_string()

now take a look @ your code

Code: Select all

 
//Assuming $password is a POST info string and is already posted
$password = (string)$_POST['password'];
 
$query = "SELECT * FROM `members` WHERE `password`  = '".$password."' ";
// are you shure you want to retrieve al inf from that member using * ? I suggest to ask only what you need
 
 $result1 = mysql_query($query) or die("Can't execute insert query: " . mysql_error());
$row = mysql_fetch_array($result1);
$passwordcheck = $row['password'];
 
try something like that

by the way, are you storing password as unencrypted plain text? beware man

Re: How to Assign a variable using a select statement

Posted: Tue Nov 04, 2008 9:57 am
by oscardog
Thanks for the help, will try it in a second. And that was a segment code code just to retrieve the data, it does all the injections and md5'ing elsewhere in the scipt ;)

Also should i do the injections(stripslashes etc) before or after that query?

Re: How to Assign a variable using a select statement

Posted: Tue Nov 04, 2008 9:59 am
by Jaxolotl
Bravo ;)

Re: How to Assign a variable using a select statement

Posted: Tue Nov 04, 2008 10:25 am
by oscardog

Code: Select all

<?php
if(isset($_POST['submit'])){
 
if (!$_POST['username'] | !$_POST['password'])
{
die('You did not complete all the required fields. Please go to the <a href="login.php">login page</a>');
}
 
include("connection.php");
 
$username=$_POST['username']; 
$password=$_POST['password'];
 
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = md5($password);
$query = "SELECT * FROM `members` WHERE `password`  = '".$password."' ";
$result1 = mysql_query($query) or die("Can't execute insert query: " . mysql_error());
$row = mysql_fetch_array($result1);
$passwordcheck = $row['password'];
$passwordcheck = stripslashes($passwordcheck);
 
$sql = "SELECT * FROM members WHERE username='$username' and password='$password'";
$result2 = mysql_query($sql);
 
$count=mysql_num_rows($result2);
echo "Hello2";
echo $password;
echo "hello";
echo $passwordcheck;
echo $count;
if($count == 1 && $password == $passwordcheck) {
session_register("username");
header('location: guild_registration.php');
}
there is an else statement, but i cba to put it up...

Re: How to Assign a variable using a select statement

Posted: Tue Nov 04, 2008 10:32 am
by oscardog
Yeh it doesnt give the password to the variable*

Re: How to Assign a variable using a select statement

Posted: Tue Nov 04, 2008 11:01 am
by lettie_dude
Try adding MYSQL_ASSOC

Code: Select all

mysql_fetch_array($result1, MYSQL_ASSOC);
Im also assuming you md5 the passwords when you entered them into the database, otherwise your query will always return false.