login - PHP PDO connect -
hello trying login pdo faced problems. kazkas blogai message. actually, don't know code problems. here example of php code:
<?php session_start(); $user = "asgasgasg"; $pass = "jhgjkghjghj"; /* pirmas etapas */ if(isset($_post['accept'])){ try { $connect = new pdo('mysql:host=localhost;dbname=abba_sql', $user, $pass); $connect->exec("set character set utf8"); $name=$_post['name']; $pass=$_post['pass']; $iname=htmlspecialchars($name); $ipass=htmlspecialchars($pass); /* antras etapas */ $sql = $connect->prepare("select * foo name = :name , pass = :pass"); $sql->execute(array(':name' => $iname, ':pass' => $ipass)); $rows = $sql->fetchall(); $rowcount = count($rows); if($rowcount > 0){ $_session['login'] = "1"; echo 'viskas ciki'; } else { echo 'kazkas blogai'; } $connect = null; } catch(pdoexception $e) { echo $e->getmessage(); } } else { ?>
i glad if me. trying understand pdo basics. advices , help.
first of want aplogize not giving explanation code , want thank 1 editied answer code got inside "code-blocks". answered question in bit of hurry through smartphone. wasn't able add code-blocks or formatting whatsoever phone.
change
$name=$_post['name']; $pass=$_post['pass']; $iname=htmlspecialchars($name); $ipass=htmlspecialchars($pass);
to
$iname=$_post['name']; $ipass=$_post['pass'];
but here comes explanination: (if haven't figured out)
if have username character isn't letters or numeric , have username hedge&hog
, example assign value $iname hedge&hog
. (because &
converted &
)
because you're doing conversion, select-statment (that executed):
select * user username='hedge&hog' , password='sdf893'; //example password
when desired query is:
select * user username='hedge&hog' , password='sdf893'; //example password
above queries obvious reasons give different numbers of rows database...
the function htmlspeciarchars() used outputting html uses html entities (when needed). it's not used escaping characters, guess intention was.
when using prepared statements don't have escape strings before inserting them strings. because actual values arent included in actual query. placeholders. pdo (or mysqli) takes care of escaping through it's functions execute(), fetch() etc.
making values placeholders makes more safe not using prepared statements:
example: with prepared statements:
select * username username=:username
without prepared statements:
select * username username='hedge&hog'
if take first query above , execute in mysql-client return error , db-engine not it. it's totally useless without som help-function db-engine. therefore it's impossible manipulate without using code.
if @ second query, it's possible execute , manipulate username db-engine alone.
therefore it's safe prepared statements.
i hope helps further!
Comments
Post a Comment