Skip site navigation (1) Skip section navigation (2)

Re: Fwd: Query results

From: "Joel Burton" <joel(at)joelburton(dot)com>
To: <trevor(at)hailix(dot)com>, <pgsql-novice(at)postgresql(dot)org>
Subject: Re: Fwd: Query results
Date: 2002-03-19 18:12:55
Message-ID: JGEPJNMCKODMDHGOBKDNKEOCCFAA.joel@joelburton.com (view raw or flat)
Thread:
Lists: pgsql-novice

> I am trying to setup a simple databaes authoriztion of users using
> Postgresql 7.2 and PHP 4.1.  I have
> included the code below:
>

> <body>
> <?php
> switch($do) {
>
> 	case "authenticate":
>
> 	$Host = "localhost";
> 	$User = "trevor";
> 	$Password = "";
> 	$DBName = "users";
> 	$TableName="users";
>
> 	$Link = pg_connect("host=$Host dbname=$DBName user=$User")
> or die ("Couldn't
> connect to the database");
>
> 	$Query = "SELECT  id from $TableName where username='$username' and
> password='$password'";
>
> 	$results = pg_exec($Link, $Query) or die ("Couldn't connect to the
> database");
>
> 	$num = pg_numrows($results) or die ("Couldn't count rows");
>
> 	if ($num == 1) {
>
> 	echo "<P>You are a valid user!<BR>";
> 	echo "Your user name is $username<BR>";
> 	echo "Your user password is $password</P>";
>
> 	}
> 		else if ($num == 0){
> 			unset ($do);
> 			echo "<P>You are not authorized! Please try
> again.</p>";
> 			include("login_form.inc");
> 	}
> 	break;
>
> 	default:
> 	include("login_form.inc");
> }
>
> ?>
> </body>
>
> This script works great as long as the name is in the database,
> but if it is
> not then $num has no value and conseqently errors out.  Even if
> you use the
> correct firstname and and an incorrect password the pg_numrows errors out.
>
> Any help would be appreciated.

How about:
  if ($num >= 1) { valid }
  else { invalid }

BTW, be careful with code like this. What will happen when someone enters a
username like "bob'; delete from important_table; select * from users where
username='bob".

PHP may see this as a select query, a delete query, and a select query. Make
sure your permissions in the database are tight, and consider using safe
quoting functions in PHP.

Joel


In response to

pgsql-novice by date

Next:From: Al-Haddad, Mohammad JDate: 2002-03-19 22:28:36
Subject: Data Page
Previous:From: Joel BurtonDate: 2002-03-19 18:07:57
Subject: Re: rename a table name

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group