login - PHP PDO connect -

-

hello trying login pdo faced problems. kazkas blogai message. actually, don't know code problems. here example of php code:

<?php      session_start();      $user = "asgasgasg";     $pass = "jhgjkghjghj";      /* pirmas etapas */     if(isset($_post['accept'])){      try {      $connect = new pdo('mysql:host=localhost;dbname=abba_sql', $user, $pass);     $connect->exec("set character set utf8");       $name=$_post['name'];     $pass=$_post['pass'];     $iname=htmlspecialchars($name);     $ipass=htmlspecialchars($pass);      /* antras etapas */      $sql = $connect->prepare("select * foo name = :name , pass = :pass");     $sql->execute(array(':name' => $iname, ':pass' => $ipass));     $rows = $sql->fetchall();     $rowcount = count($rows);      if($rowcount > 0){         $_session['login'] = "1";         echo 'viskas ciki';     }     else      {         echo 'kazkas blogai';     }      $connect = null;   }      catch(pdoexception $e) {         echo $e->getmessage();     } }        else {   ?>

i glad if me. trying understand pdo basics. advices , help.

first of want aplogize not giving explanation code , want thank 1 editied answer code got inside "code-blocks". answered question in bit of hurry through smartphone. wasn't able add code-blocks or formatting whatsoever phone.

change

$name=$_post['name']; $pass=$_post['pass']; $iname=htmlspecialchars($name); $ipass=htmlspecialchars($pass);

to

$iname=$_post['name']; $ipass=$_post['pass'];

but here comes explanination: (if haven't figured out)

if have username character isn't letters or numeric , have username hedge&hog, example assign value $iname hedge&amp;hog. (because & converted &amp;)

because you're doing conversion, select-statment (that executed):

select * user username='hedge&amp;hog' , password='sdf893'; //example password

when desired query is:

select * user username='hedge&hog' , password='sdf893'; //example password

above queries obvious reasons give different numbers of rows database...

the function htmlspeciarchars() used outputting html uses html entities (when needed). it's not used escaping characters, guess intention was.

when using prepared statements don't have escape strings before inserting them strings. because actual values arent included in actual query. placeholders. pdo (or mysqli) takes care of escaping through it's functions execute(), fetch() etc.

making values placeholders makes more safe not using prepared statements:

example: with prepared statements:

select * username username=:username

without prepared statements:

select * username username='hedge&hog'

if take first query above , execute in mysql-client return error , db-engine not it. it's totally useless without som help-function db-engine. therefore it's impossible manipulate without using code.

if @ second query, it's possible execute , manipulate username db-engine alone.

therefore it's safe prepared statements.

i hope helps further!


Comments

Post a Comment

Popular posts from this blog

java - Jmockit String final length method mocking Issue -

-
using jmockit 1.2 jar, trying mock string's length method getting unexpected invocation exception: failed: test java.lang.illegalstateexception: missing invocation mocked type @ point; please make sure such invocations appear after declaration of suitable mock field or parameter @ stringdemo.testa$1.<init>(testa.java:17) @ stringdemo.testa.test(testa.java:13) i using testng: @test public void test() throws exception { new expectations() { @mocked("length") string astring; { astring.length(); result = 2; } }; system.out.println(a.showa("test")); } } actual class a: public class { public static int showa(string str){ int a= str.length(); return a; } } this wrong way of recording expected results. shouldn't mock , record string's length() method, record showa() instead. here solution @suppresswarnings("unused&qu
Read more

asp.net - Razor Page Hosted on IIS 6 Fails Every Morning -

-
i have simple page in intranet uses razor/asp fetch single record table , display it, plus few graphic, dashboard display. meaning, no user intervention other first time open ie internal url. the problem having every morning ie displays "page not found or network error" message. refresh page, , it's stuck , doesn't display anything. try different pc, open ie internal url , it's stuck... ...until following: login server hosting page run inetmgr go web sites, etc right click on page that's giving me problem , select browse at moment, error message: server error in '/' application. -------------------------------------------------------------------------------- type of page not served. description: type of page have requested not served because has been explicitly forbidden. extension '.cshtml' may incorrect. please review url below , make sure spelled correctly. requested url: /application/dashboard.cshtml ---------------
Read more

c++ - wxwidget compiling on windows command prompt -

-
can please guide me on method,as how compile wxwidget using windows command prompt or msys. [i can't seem find on wxwiki/wxwidget official book/anywhere else] i have compiled wxwidget instructions have provided (using msys). from searching on internet seems 1 can (maybe?) through use of makefile (is correct?) if yes: directory & how should link wx libraries in makefile if no: way besides makefile? i know can use ide's code::block , make life simpler prefer compile using command prompt/msys. thanks in advance.
Read more