mysql_real_escape
 

hey i need some help with this login form.
everytime i do this i get login failed even though it is in the database/table/row!
Plz tell me whats wrong?
Yes i already connected and selected the database.

Re: mysql_real_escape
 

You only need to use mysql_real_escape_string to quote a string for use in a query. MySQL returns strings from the database in a literal (unescaped) form. You should read about mysql_real_escape_string in the php manual.

Also, $row in your code is going to represent the FIRST user selected from the database. Your SQL query selects ALL users, instead of selecting ONLY the user identified by $username. This will result in checking the password against the wrong user most of the time if you have multiple users in the table.

Example:

Re: mysql_real_escape
 

IIRC, SQL uses single quotes for strings, which is always a pain for me because it's back asswards from everything else I use. Also, mysql_fetch_array has both the numerical and associative indices, so using it should work fine.

@kishou: You can also use a loop to compare against all of the things pulled from the table, but using a WHERE clause in the SQL query like dr.p showed is what you want for this situation. (If for some reason you allow the same username multiple times, then you'll need the loop as well.)

Re: mysql_real_escape
 

Thx. but im just wondering when should i use the $username instead of $_POST["username"]? like when im inserting it into the database? because im just starting to learn about SQL injection.

Re: mysql_real_escape
 

In my original reply, I said: "You only need to use mysql_real_escape_string to quote a string for use in a query."

Just so that we're clear, $username contains the escaped version of $_POST['username'], which is returned by mysql_real_escape_string in your code.

Whether you want to insert a string, update it, select with it, anything... if the contents of a variable (like $_POST['username']) need to go into a query/statement as a string, then you need to escape it.

Read the PHP manual page for mysql_real_escape_string on php.net. It goes over what the function is for, provides examples, and has some very important security information.

Re: mysql_real_escape
 

SQL specifications, or SQL implementations? MySQL is what I'm used to using, and it allows single or double quotes.

And mysql_fetch_array stores two sets of the requested information in memory in order to make it available by numeric and associative. Best practice is to use which one you need, unless you actually need both.

Re: mysql_real_escape
 

I've been using MSSQL lately, so maybe it's just been too long since I used MySQL. Thanks for setting me straight :icon_redface:

Out of curiosity, why is using the specific array (assoc/numeric) considered a best practice? Just because you limit the ways to access the data?

Re: mysql_real_escape
 

I get corrected all the time... depending on who I'm talking to. I kind of expect it. ;) I only knew that because I've been using MySQL daily for 8 years now.

Because I'm really anal about memory usage. _array returns the SELECT results twice in the same array in order to store by numeric and associative indices (at least, I'm 99.9% sure it does.) If I don't need both indices, I prefer to save the memory.

And the PHP docs say that _array doesn't cause a significant slow down, but I have doubts about that when it comes to large amounts of data, based on some of the scripts I've worked on. In all fairness to PHP, though, it had gotten to the point where every little bit helped.

Re: mysql_real_escape
 

Before fetching the row, make sure it exists - if the user isn't there, you'll get 0 rows returned.