Perl PHP MySQL

Forum Moderators: coopster

Message Too Old, No Replies

Perl PHP MySQL

th1chsn

1:21 am on Jun 17, 2003 (gmt 0)

Hello,

I have a membership system to manage my membership site written in perl. The pages on the members site are in php with a MySQL backend. The pages are also dynamically generated.

What I am trying to do is capture the username when the user logs in so that I know which record to display on the page. Sounds simple enough but I can't get it to work.

The membership program supposedly passes a cookie as the username. This is what I have in the index.php page when the user logs in.

Thanks in advance for your help.

<?php
require('db_spec.php');
$option_sql = new DB("$dbhost", "$dbuser", "$dbpass", "$db");
if (!$option_sql->open())
{
die($option_sql->error());
}
echo "SELECT * FROM userinfo where Username=".$_COOKIE["$mojousn"];
if (!$option_sql->query("SELECT * FROM userinfo where Username=".$_COOKIE["$mojousn"]))
{
die($option_sql->error());
}
$option_row = $option_sql->fetchAssoc();
?>

jatar_k

1:24 am on Jun 17, 2003 (gmt 0)

try

$_COOKIE['mojousn']

instead of

$_COOKIE["$mojousn"]

assuming mojousn is the name of the var in the cookie

th1chsn

1:51 am on Jun 17, 2003 (gmt 0)

Hi jatar, I get errors in the SQL syntax when I do that. It's actually the same error as the double quotes.

Maybe the var in the cookie is incorrect? This is where the membership program looks to be setting the cookie. Can I call $mj{mem70} in php?

$MEMBER{username} = $MEMBER{password} = $FORM{step} = "";
$CONFIG{setcookie_now}=1;
&MemberLogin($mj{mem70});

jatar_k

1:57 am on Jun 17, 2003 (gmt 0)

I think the dollar sign is one problem the other could be the quotes in the actual query

if (!$option_sql->query("SELECT * FROM userinfo where Username='".$_COOKIE['mojousn']."'"))

that will quote the value properly for mysql.

th1chsn

2:15 am on Jun 17, 2003 (gmt 0)

That was it! I am able to get in now!

When I log in I am not displaying any values for the places where I am calling for a value. Does that mean that the cookie I am calling is wrong?

grahamstewart

3:03 am on Jun 17, 2003 (gmt 0)

Note: its a bad idea to take the value of the cookie and plug it directly into the HTML. It leaves you wide open to SQL Injection attacks.

For instance if I changed my cookie so my username was ' or '' == ' then the SQL would become..


SELECT * FROM userinfo where Username='' or '' == ''

which might let me into your system.

You should at least use addslashes() on the cookie data first.

th1chsn

3:24 am on Jun 17, 2003 (gmt 0)

Hi Graham, thanks for your post. I want the site to be secure. This is the flow of my site...

A user goes to the login page and logs in. They hit the membership program where they are redirected to the index.php page. That's fine until I decided to dynamically generate content on the index page. So I need some way for the code to take the username that is entered in the login form and hold on to it so it knows which record to call.

How would you do this?

grahamstewart

6:52 am on Jun 17, 2003 (gmt 0)

Sounds like I'd store the user name in a session variable.

But I'd also be careful to validate the data from the login form before I used it to select against the database.

For example if I only expected usernames to contain alphanumeric characters then I'd check that before I did any checking against the database.

If I was allowing more complicated usernames then I'd use either addslashes() or htmlentities() on it to get rid of any dodgy characters.

Hope that helps.

Perl PHP MySQL

th1chsn

jatar_k

th1chsn

jatar_k

th1chsn

grahamstewart

th1chsn

grahamstewart

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week