question on Variables

saltedm8 · #1 Oct 8th, 2007, 19:17

would this work if i used Variables to replace the 'username' and 'password' here ?


mysql_query("INSERT INTO `members` VALUES (1, 'username', md5('password') )");

e.g

PHP: Select all


mysql_query("INSERT INTO `members` VALUES (1, '$username', md5('$password') )");

i want to create a form where those values can be changed.

thank you

c010depunkk · #2 Oct 8th, 2007, 19:42

You got it! That not only works, that is the whole point of using PHP!!!

saltedm8 · #3 Oct 8th, 2007, 19:44

thank you, i just did not know if it would literly insert '$username' and '$password'

so how would i change the values from a form ?

c010depunkk · #4 Oct 8th, 2007, 20:00

Here's a little modified chunk of the login script I use on my site. Feel free to ask about anything you don't understand:

PHP: Select all


<?php

$error_message='';
if(isset($_POST['login_user'])) {
    // get user info for posted values
    $user_name=mysql_real_escape_string($user_name);
    $query=mysql_query("SELECT id FROM users WHERE user_name = '".$user_name."'");
    if(mysql_num_rows($query)>0) {
        $query=mysql_query("SELECT * FROM users WHERE user_name = '".$user_name."' AND password = '".mysql_real_escape_string($password)."'");
        if($row=mysql_fetch_object($query)) {
            // log user in
            $_SESSION['logged_in']=true;
        } else {
            $error_message.='Password is not correct.';
        }
    } else {
        $error_message.='User name does not exist.';
    }
}

if($_SESSION['logged_in']) { // user logged in
?>
<p>You are logged in</p>
<?php } else { ?>
<p>please login.</p>
<?php echo(($error_message!=''?'<div class="error">'.$error_message.'</div>':'')); ?>
<div class="contact">
    <form name="contact" action="<?php echo($link_prefix); ?>login" method="post">
        <p>User Name: <input class="box" type="text" name="login_user" value="<?php echo($_POST['login_user']); ?>" /></p>
        <p>Password: <input class="box" type="password" name="login_pass" /></p>
        <p><input class="button" type="submit" action="submit" value="Login" />
    </form>
</div>
<?php } ?>

The part that you are interested in is where I access the values from the form using the $_POST array. If a form element has a name tag like so:

Code: Select all

<input type="text" name="username" />

Then you can access it in PHP like so:

PHP: Select all


$my_variable = $_POST['username'];

saltedm8 · #5 Oct 8th, 2007, 20:08

once the form is submitted is the value then stored for good in the variable? ( unless changed ) - simply because i have taken that a variable has to = something, what does it = ?

where is the value stored ?

alexgeek · #6 Oct 8th, 2007, 20:29

I'm not too sure what you mean,
but once the form is submitted and the variable is put into the database, it will stay in the database.
The php variable will be lost when that particular script is ended.
Hope that is what you were asking.

saltedm8 · #7 Oct 8th, 2007, 20:40

ahhh, i think i have got it,

so i need to post the form data to the database and the variable will recover it

UPDATE 'members' etc

AdRock · #8 Oct 8th, 2007, 20:43

Quote:

Originally Posted by saltedm8

would this work if i used Variables to replace the 'username' and 'password' here ?

PHP: Select all


mysql_query("INSERT INTO `members` VALUES (1, 'username', md5('password') )");

e.g

PHP: Select all


mysql_query("INSERT INTO `members` VALUES (1, '$username', md5('$password') )");

i want to create a form where those values can be changed.

thank you

Presuming the first field is an id field which auto-increments I would use '' (2 single quotes) instead of a number

saltedm8 · #9 Oct 8th, 2007, 21:26

does this look right ?

PHP: Select all


<?php include 'config.php';?>
<?php
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
if (isset($_POST['submit'])) {
  $user = $_POST['username'];
  $pass = $_POST['password'];
  $sql="UPDATE members (username, password,)
        VALUES ('$user', '$pass')";  
mysql_select_db("$dbname",$conn);
mysql_query($sql) or die (mysql_error());
}
 
?>

AdRock · #10 Oct 8th, 2007, 21:32

This is how I do it and you need to specify which record is getting updated (after the WHERE clause)

PHP: Select all


sql="UPDATE members SET username='$user', password='$pass' WHERE ........ ";

Here is my query

PHP: Select all


$query="UPDATE articles SET title='$name', content='$newstr' WHERE id='$ud_id'";

c010depunkk · #11 Oct 9th, 2007, 06:13

What you're doing there is very dangerous and can and will be exploited by SQL injection. (Google for that if you're not sure SQL injection is). ALWAYS check user input before you use it in an SQL query!!!!

PHP: Select all


 $user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

simonb · #12 Oct 9th, 2007, 06:17

Quote:

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application

Quote:

A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet

alexgeek · #13 Oct 12th, 2007, 00:16

SQL Injection video

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Using Variables in ASP with LightBox	LeeNic	Classic ASP	4	Mar 18th, 2008 15:12
Multiplying variables...	Germaris	Flash & Multimedia Forum	2	Feb 27th, 2008 23:26
Form - variables not going through	comaiwat	JavaScript Forum	3	Oct 24th, 2007 13:53
Variables!!	bionics	PHP Forum	6	Apr 25th, 2006 15:39
Get URL and use variables	JamieH	PHP Forum	2	Jan 1st, 2006 03:13

		Webforumz.com > Main Forums > Program Your Website > PHP Forum
question on Variables