J.D. Archer
|
| Posted: 05/22/2001, 8:41 PM |
|
$sLogin = get_param("Login");
$sPassword = md5(get_param("Password"));
$db->query("SELECT username,security FROM login WHERE username=" .
tosql($sLogin, "Text") . " AND password=" . tosql($sPassword, "Text"));
if($db->next_record())
{
// Login and password passed
set_session("UserID", $db->f("username"));
set_session("UserRights", $db->f("security"));
}
else
{
$sLoginErr = "Login or Password is incorrect--stupid.";
}
----------------------------------------------------------------------
This is what I have on the custom login event on the login form.
With this code in place this is the error message I get.
Database error: Invalid SQL: SELECT username FROM login WHERE
userid=jarcher
MySQL Error: 1054 (Unknown column 'jarcher' in 'where clause')
Session halted.
here is what the database looks like.
mysql> select * from login
-> ;
+--------+----------+----------------------------------+----------+---------
----+
| userid | username | password | security | fullname |
+--------+----------+----------------------------------+----------+---------
----+
| 234 | jarcher | 81dc9bdb52d04dc20036dbd8313ed055 | 3 | J.D. Archer |
+--------+----------+----------------------------------+----------+---------
----+
1 row in set (0.00 sec)
mysql> show columns from login
-> ;
+----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| userid | varchar(10) | YES | | NULL | |
| username | varchar(50) | YES | | NULL | |
| password | varchar(50) | YES | | NULL | |
| security | varchar(5) | YES | | NULL | |
| fullname | varchar(50) | YES | | NULL | |
+----------+-------------+------+-----+---------+-------+
5 rows in set (0.01 sec)
--
What is the cause of this?
-----
J.D. Archer
Network Engineer
221-6389
|
|
|
 |
David A. Lee
|
| Posted: 05/22/2001, 10:06 PM |
|
You need to quote the username and password
$db->query("SELECT username,security FROM login WHERE username=\'" .
tosql($sLogin, "Text") . "\' AND password=\'" .
tosql($sPassword, "Text") . "\'");
This will produce the correct SQL
SELECT username, security FROM login WHERE username='something' AND
password='somethingelse'
> $sLogin = get_param("Login");
> $sPassword = md5(get_param("Password"));
> $db->query("SELECT username,security FROM login WHERE username=" .
> tosql($sLogin, "Text") . " AND password=" . tosql($sPassword, "Text"));
>
> if($db->next_record())
> {
> // Login and password passed
> set_session("UserID", $db->f("username"));
> set_session("UserRights", $db->f("security"));
> }
> else
> {
> $sLoginErr = "Login or Password is incorrect--stupid.";
> }
>
> --------------------------------------------------------------------
--
> This is what I have on the custom login event on the login form.
>
> With this code in place this is the error message I get.
>
> Database error: Invalid SQL: SELECT username FROM login WHERE
> userid=jarcher
> MySQL Error: 1054 (Unknown column 'jarcher' in 'where clause')
> Session halted.
>
> here is what the database looks like.
>
> mysql> select * from login
> -> ;
>
>
+--------+----------+----------------------------------+----------+---------
> ----+
> | userid | username | password | security | fullname |
>
>
+--------+----------+----------------------------------+----------+---------
> ----+
> | 234 | jarcher | 81dc9bdb52d04dc20036dbd8313ed055 | 3 | J.D. Archer
|
>
>
+--------+----------+----------------------------------+----------+---------
> ----+
> 1 row in set (0.00 sec)
>
> mysql> show columns from login
> -> ;
> +----------+-------------+------+-----+---------+-------+
> | Field | Type | Null | Key | Default | Extra |
> +----------+-------------+------+-----+---------+-------+
> | userid | varchar(10) | YES | | NULL | |
> | username | varchar(50) | YES | | NULL | |
> | password | varchar(50) | YES | | NULL | |
> | security | varchar(5) | YES | | NULL | |
> | fullname | varchar(50) | YES | | NULL | |
> +----------+-------------+------+-----+---------+-------+
> 5 rows in set (0.01 sec)
>
>
> --
>
> What is the cause of this?
>
>
> -----
> J.D. Archer
> Network Engineer
> 221-6389
>
>
|
|
|
|
Walker P.
|
| Posted: 05/23/2001, 8:51 AM |
|
In this case, you DON'T need to quote the username nor password. The
function tosql() does that for you. For instance if you pass a string
mypassword to tosql using tosql("mypassword", "Text"), the function will
return the string enclosed in single quotes i.e. 'mypassword'. For your
information, the function tosql() is defined as:
function tosql($value, $type)
{
if($value == "")
return "NULL";
else
if($type == "Number")
return doubleval($value);
else
{
if(get_magic_quotes_gpc() == 0)
{
$value = str_replace("'","''",$value);
$value = str_replace("\\","\\\\",$value);
}
else
{
$value = str_replace("\\'","''",$value);
$value = str_replace("\\\"","\"",$value);
}
return "'" . $value . "'";
}
}
In your case Archer, you need to locate where the SQL statement: SELECT
username FROM login WHERE
userid=jarcher is being generated. I can tell you for a fact that it is not
coming from the custom login event code since the code there would generate
something like: SELECT username, security FROM login WHERE
userid='jarcher' AND password = 'somegibberish'
Walker P.
CodeCharge Support
|
|
|
|
J.D. Archer
|
| Posted: 05/23/2001, 11:47 AM |
|
Okay the recent post worked with a little modifacation to the syntax. Know
it automatically goes to the error in login.
How do I get the
"David A. Lee" <dave@calldei.com> wrote in message
news:9efggn$f6k$1@mail.tankhill.com...
> You need to quote the username and password
>
> $db->query("SELECT username,security FROM login WHERE username=\'" .
> tosql($sLogin, "Text") . "\' AND password=\'" .
> tosql($sPassword, "Text") . "\'");
>
> This will produce the correct SQL
> SELECT username, security FROM login WHERE username='something' AND
> password='somethingelse'
>
>
>
> > $sLogin = get_param("Login");
> > $sPassword = md5(get_param("Password"));
> > $db->query("SELECT username,security FROM login WHERE username=" .
> > tosql($sLogin, "Text") . " AND password=" . tosql($sPassword, "Text"));
> >
> > if($db->next_record())
> > {
> > // Login and password passed
> > set_session("UserID", $db->f("username"));
> > set_session("UserRights", $db->f("security"));
> > }
> > else
> > {
> > $sLoginErr = "Login or Password is incorrect--stupid.";
> > }
> >
>
--------------------------------------------------------------------
> --
> > This is what I have on the custom login event on the login form.
> >
> > With this code in place this is the error message I get.
> >
> > Database error: Invalid SQL: SELECT username FROM login WHERE
> > userid=jarcher
> > MySQL Error: 1054 (Unknown column 'jarcher' in 'where clause')
> > Session halted.
> >
> > here is what the database looks like.
> >
> > mysql> select * from login
> > -> ;
> >
> >
>
+--------+----------+----------------------------------+----------+---------
> > ----+
> > | userid | username | password | security | fullname |
> >
> >
>
+--------+----------+----------------------------------+----------+---------
> > ----+
> > | 234 | jarcher | 81dc9bdb52d04dc20036dbd8313ed055 | 3 | J.D.
Archer
> |
> >
> >
>
+--------+----------+----------------------------------+----------+---------
> > ----+
> > 1 row in set (0.00 sec)
> >
> > mysql> show columns from login
> > -> ;
> > +----------+-------------+------+-----+---------+-------+
> > | Field | Type | Null | Key | Default | Extra |
> > +----------+-------------+------+-----+---------+-------+
> > | userid | varchar(10) | YES | | NULL | |
> > | username | varchar(50) | YES | | NULL | |
> > | password | varchar(50) | YES | | NULL | |
> > | security | varchar(5) | YES | | NULL | |
> > | fullname | varchar(50) | YES | | NULL | |
> > +----------+-------------+------+-----+---------+-------+
> > 5 rows in set (0.01 sec)
> >
> >
> > --
> >
> > What is the cause of this?
> >
> >
> > -----
> > J.D. Archer
> > Network Engineer
> > 221-6389
> >
> >
>
>
|
|
|
|
|
