Hi Jas:
> if ((!$u_name) || (!$p_word) || (!$image)){
What if the variables aren't submitted at all? Better to test for
empty() on each variable. Avoids Warnings if error reporting is high.
> require '/path/to/database/connection/script/dbcon.php';
Put a @ in front of that require to keep an error message from revealing
the paths of your two vital scripts.
> $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw =
> password(\"$pw\")";
You're sending uncleaned information to your database. Not cool. Use
regular expressions to make sure there are no nasty characters and that
the items conform to expected parameters.
> $p_hash = "$p_word";
> $to_hash = "$image";
Why waste time assigning these things to other variables when you don't
need to? Also, the quotes are superfluous.
> $pstring = md5($to_hash);
> $image_sel = md5(uniqid(microtime($p_word),1));
> session_start();
> session_register('user');
> session_register('$pstring');
> session_register('$image_sel');
Exactly why are you storing all of this stuff in the session? You've
aleady validated them upfront.
Dude, let me be straight up. The reason I didn't reply thusfar is you
sent a huge mass of poorly formatted code to the list. I took one look
at it and thought, why do I need to deal with that mess.
--Dan
--
PHP classes that make web design easier
SQL Solution | Layout Solution | Form Solution
sqlsolution.info | layoutsolution.info | formsolution.info
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
