开发者

Can anyone help me figure out the meaning of this php error message? [duplicate]

问答 作者:
This question already has answers here: Closed 11 years ago.

Possible Duplicate:

Can anyone help me figure out what is wrong with this code?

Here is my code

$con = mysql_connect("localhost", "root", '');

if (!$con) {
    die('Cannot make a connection');
}


mysql_select_db('yumbox_table', $con) or die('Cannot make a connection');    
isset($_POST['user_name'], $_PO开发者_如何学GoST['password'], $_POST['user_type']);

$data = mysql_query("SELECT * 
                       FROM users 
                      WHERE user_name == ($_POST['user_name']) 
                        AND ($_POST['password']) 
                        AND ($_POST['user_type'])") or die(mysql_error());

$info = mysql_fetch_array($data);
$count = mysql_numrows($data);

if ($count == 1) {
    echo("Success!!");
} else {
    echo("BIG FRIGGIN FAILURE!!");
}

mysql_close($con);

Whenever I run this code, I receive the following message:

You need to escape your POST values before you insert put them into your query. You should escape your POST values before you use them in a database query.

Instead of this:

$data = mysql_query("SELECT * from users where user_name == ($_POST['user_name']) and ($_POST['password']) and ($_POST['user_type'])"

Do this:

$user_name = mysql_real_escape_string($_POST['user_name']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);
$data = mysql_query("SELECT * FROM users WHERE user_name == '$user_name' AND password == '$password' AND user_type == '$user_type'");

Note that I am assuming your columns in the table are 'user_name', 'password', and 'user_type'.

if(isset($_POST['user_name'], $_POST['password'], $_POST['user_type'])){
    $data = mysql_query("SELECT * from users 
             where user_name = '".mysql_real_escape_string($_POST['user_name'])."' and 
                   password  = '".mysql_real_escape_string($_POST['password'])."' and 
                   user_type = '".mysql_real_escape_string($_POST['user_type'])."' ");

    if(mysql_numrows($data) == 1) {
       $info = mysql_fetch_array($data);
       echo("Success!!");
    } else {
       echo("BIG FRIGGIN FAILURE!!");
    }
}
else{
   echo "Required Data Missing";
}

mysql_close($con);

You need to post the error for more details. But a few things I noticed was 

mysql_query("SELECT * from users where user_name == ($_POST['user_name']) and ($_POST['password']) and ($_POST['user_type'])")

You need to change this to 

//do escaping here. See note below.
$username = isset($_POST['user_name']) ? mysql_real_escape($_POST['user_name']) : '';
$pass     = isset($_POST['password']) ? mysql_real_escape($_POST['password']) : '';
$type     = isset($_POST['user_type']) ? mysql_real_escape($_POST['user_type']) : '';

mysql_query("SELECT * from users where user_name = '{$username}' AND password = '{$pass}' AND user_type = '{$type}'")

You need to escape values

MySQL comparisons are = and not == (thanks for pointing that out @jeremysawesome)

You need to check the column against your POST value

You also have an SQL injection vulnerability. Please at least use mysql_real_escape. Better yet, switch to PDO

You need to assign your isset check to a variable and check it. Otherwise it's just a waste.

继续阅读:formsphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9