i try to validate my login page..
all special characters are not accepted but when
i input a backslash ( \ ), an error message appears..
error in executing query..
please help how to validate it...
tnx
i try to validate my login page..
all special characters are not accepted but when
i input a backslash ( \ ), an error message appears..
error in executing query..
please help how to validate it...
tnx
mysql_real_escape_string() will escape data for database entry.
But you don't tell us what you are doing already, show code examples or really give us any idea of what you have done so far, but I assume this will work.
mysql_real_escape_string() will escape data for database entry.
But you don't tell us what you are doing already, show code examples or really give us any idea of what you have done so far, but I assume this will work.
i try to code mysql_real_escape_string() but I'm having an error.. I dont know where to put the function youre trying to say.
here's the code for your reference
<?php
$errorList = array(); //holds the errors encountered
if (isset($_POST['submitted'])) { // Check if the form has been submitted.
require_once ('database.php'); // Connect to the database.
$database = new database();
// Validate the email address.
if (!empty($_POST['username'])) {
$u = ($_POST['username']);
} else {
$errorList[] = '<b>You forgot to enter your username!</b>';
$u = FALSE;
}
// Validate the password.
if (!empty($_POST['password'])) {
$p = ($_POST['password']);
} else {
$p = FALSE;
$errorList[] = '<b>You forgot to enter your password!<b>';
}
if ($u && $p) { // If everything's OK.
$database->Connect();
// Query the database.
$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='$u' AND Password='$p') and DelCategory='0'";
$result = $database->executeQuery ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
if (@mysql_num_rows($result) == 1) { // A match was made.
$row = mysql_fetch_array ($result);
$database->Disconnect();
session_start();
$_SESSION['AccountType'] = $row['userdesc'];
$_SESSION['UserName']= $row['username'];
$_SESSION['UsersID']= $row['userid'];
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
if ($row['userdesc']== "penafrancia")
$url .= '/admin.php';
header("Location: $url");
exit(); // Quit the script.
} else { // No match was made.
$errorList[] = '<b>The username and password entered is invalid<b>';
}
}
mysql_close(); // Close the database connection.
} // End of SUBMIT conditional.
?>
Change your query string from
$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='$u' AND Password='$p') and DelCategory='0'";
to:
$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='".addslashes($u)."' AND Password='".addslashes($u)."') and DelCategory='0'";
Here I added slashes for parameters before executing query to avoid the SQL injections and make the $query be valid query.
Use mysql_real_escape_string() for the variable holding the query, before executing the query.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.