Yes, submit, inout, username and password all come from the index.php form submission, but username changes throughout the different pages, that was one of my problems. I'm not sure what I did wrong before, but once I set a variable using $_SESSION, I couldn't change it unless I close the browser and start over.
Just to make sure, register_globals should be set to off for best security reasons, correct? I guess that should have been my first question. And will sessions still work if it's turned off? Right now it's turned on for all my stuff to work. Thanks, Jake McHenry Nittany Travel MIS Coordinator http://www.nittanytravel.com > -----Original Message----- > From: Chris Hubbard [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 14, 2003 11:37 PM > To: Jake McHenry; [EMAIL PROTECTED] > Subject: RE: [PHP] Sessions Question > > > Jake, > given that I can't see what is in config.php time.php, I'll > focus on your index.php. I assume that the issues I point > out will be applicable to config and time also. > > this: > <? > should be: > <?php > > include("config.php"); > include("time.php"); > > assuming that $SuBmIt and inout and username and password all > come from your log in form it should read something like: > <START> if ($_POST["SuBmIT"]) { > // make sure posted variables are clean and are the > kind you expect > if ($_POST["inout"] != "") > { > // add other validation here > }else{ > $error[] = "inout not set"; > } > if ($_POST["username"] != "") > { > // add other validation here > }else{ > $error[] = "username not entered"; > } > if ($_POST["password"] != "") > { > // add other validation here > }else{ > $error[] = "password not entered"; > } > if (count($error) == 0) > { > $sql = "SELECT * FROM `users` WHERE `uname` > LIKE '%". $_POST["username"] ."%'"; > // insert code to strip out < and > signs and ; > // like this: > $sql = str_replace("<","",$sql); > $sql = str_replace(">","",$sql); > $sql = str_replace(";","",$sql); > // when we know that $sql is clean do the query > $result = mysql_query($sql); > $row = mysql_fetch_array($result); > </END> > The preceding should do roughly the same as your following > code. Note the sql query should not use LIKE (which you're > using) and you should use both the username and the password, > so something like this would be better $sql = "SELECT * FROM > `users` WHERE (`uname` = '". $_POST["username"] ."') AND > (`password` = '". md5($_POST["password"]) ."')"; You are > encrypting your password correct? > > <START> > if (($SuBmIt) && ($inout) && ($username) && ($password)) > { > $result = mysql_query("SELECT * FROM `users` WHERE `uname` > LIKE '$username'"); > $row = mysql_fetch_array($result); > </END> > > This should get you firmly on the road. NOTE: I have not run > the above code, so might work, and it might not. Either way > it's on you to sort out. > > Hope this is helpful, > chris > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
