question on Variables

[saltedm8]

would this work if i used Variables to replace the 'username' and 'password' here ?

PHP: Select all

mysql_query("INSERT INTO `members` VALUES (1, 'username', md5('password') )"); 

e.g

PHP: Select all

mysql_query("INSERT INTO `members` VALUES (1, '$username', md5('$password') )"); 

i want to create a form where those values can be changed.

thank you

[c010depunkk]

You got it! That not only works, that is the whole point of using PHP!!!

[saltedm8]

thank you, i just did not know if it would literly insert '$username' and '$password'

so how would i change the values from a form ?

[c010depunkk]

Here's a little modified chunk of the login script I use on my site. Feel free to ask about anything you don't understand:

PHP: Select all

<?php

$error_message='';
if(isset($_POST['login_user'])) {
    // get user info for posted values
    $user_name=mysql_real_escape_string($user_name);
    $query=mysql_query("SELECT id FROM users WHERE user_name = '".$user_name."'");
    if(mysql_num_rows($query)>0) {
        $query=mysql_query("SELECT * FROM users WHERE user_name = '".$user_name."' AND password = '".mysql_real_escape_string($password)."'");
        if($row=mysql_fetch_object($query)) {
            // log user in
            $_SESSION['logged_in']=true;
        } else {
            $error_message.='Password is not correct.';
        }
    } else {
        $error_message.='User name does not exist.';
    }
}

if($_SESSION['logged_in']) { // user logged in
?>
<p>You are logged in</p>
<?php } else { ?>
<p>please login.</p>
<?php echo(($error_message!=''?'<div class="error">'.$error_message.'</div>':'')); ?>
<div class="contact">
    <form name="contact" action="<?php echo($link_prefix); ?>login" method="post">
        <p>User Name: <input class="box" type="text" name="login_user" value="<?php echo($_POST['login_user']); ?>" /></p>
        <p>Password: <input class="box" type="password" name="login_pass" /></p>
        <p><input class="button" type="submit" action="submit" value="Login" />
    </form>
</div>
<?php } ?>

The part that you are interested in is where I access the values from the form using the $_POST array. If a form element has a name tag like so:

Code: Select all

<input type="text" name="username" />

Then you can access it in PHP like so:

PHP: Select all

$my_variable = $_POST['username']; 

[saltedm8]

once the form is submitted is the value then stored for good in the variable? ( unless changed ) - simply because i have taken that a variable has to = something, what does it = ?

where is the value stored ?

[alexgeek]

I'm not too sure what you mean,
but once the form is submitted and the variable is put into the database, it will stay in the database.
The php variable will be lost when that particular script is ended.
Hope that is what you were asking.

[saltedm8]

ahhh, i think i have got it,

so i need to post the form data to the database and the variable will recover it

UPDATE 'members' etc

[AdRock]

Quote:

Originally Posted by saltedm8

would this work if i used Variables to replace the 'username' and 'password' here ?

PHP: Select all

mysql_query("INSERT INTO `members` VALUES (1, 'username', md5('password') )"); 

e.g

PHP: Select all

mysql_query("INSERT INTO `members` VALUES (1, '$username', md5('$password') )"); 

i want to create a form where those values can be changed.

thank you

Presuming the first field is an id field which auto-increments I would use '' (2 single quotes) instead of a number

[saltedm8]

does this look right ?

PHP: Select all

<?php include 'config.php';?>
<?php
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
if (isset($_POST['submit'])) {
  $user = $_POST['username'];
  $pass = $_POST['password'];
  $sql="UPDATE members (username, password,)
        VALUES ('$user', '$pass')";  
mysql_select_db("$dbname",$conn);
mysql_query($sql) or die (mysql_error());
}
 
?>

[AdRock]

This is how I do it and you need to specify which record is getting updated (after the WHERE clause)

PHP: Select all

sql="UPDATE members SET username='$user', password='$pass' WHERE ........ "; 

Here is my query

PHP: Select all

$query="UPDATE articles SET title='$name', content='$newstr' WHERE id='$ud_id'"; 

[c010depunkk]

What you're doing there is very dangerous and can and will be exploited by SQL injection. (Google for that if you're not sure SQL injection is). ALWAYS check user input before you use it in an SQL query!!!!

PHP: Select all

 $user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']); 

[simonb]

Quote:

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application

Quote:

A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet

[alexgeek]

SQL Injection video