INSERT and SESSION

[wut]

Just want to know if it is possible to do something like this? If so, how?

 

$qry = "SELECT * FROM users WHERE password='$password' AND username='$_SESSION['SESS_USER_NAME']'";

[gizmola]

Yes.

 

$qry = "SELECT * FROM users WHERE password='$password' AND username='{$_SESSION['SESS_USER_NAME']}'";

 

Of course, insuring that there is a value in SESS_USER_NAME is up to you.

 

I also would want to insure that $password and $_SESSION['SESS_USER_NAME'] have been escaped with mysql_real_escape_string() (assuming you're using mysql).

[wut]

Chances are I'm doing something terribly wrong because I've been at this all day and my brain is fried!

 

I'm trying to make a change password script, when there is a password entered in the current password field to check it against the username and password that is stored in the mysql database. If incorrect details are entered there is no error message passed back?

 

$errflag = false;

if($password != '') {
	$qry= "SELECT * FROM users WHERE password='$password' AND username='{$_SESSION['SESS_USER_NAME']}'";
	$result = mysql_query($qry);
	if(!$result) {
		$errmsg_arr[] = 'Current password is not correct';
		$errflag = true;
	}
}

if($errflag) {
	$_SESSION['ERRMSG_PASS'] = $errmsg_arr;
	session_write_close();
	header("location: member-profile.php");
	exit();
}

[ManiacDan]

If incorrect details are entered there is no error message passed back?

If there's no match, $result will still be an object. You need to be using mysql_num_rows here.

 

Also, your passwords don't appear to be encrypted.

[wut]

So something like?

if($password != '') {
	$qry= "SELECT * FROM users WHERE password='$password' AND username='{$_SESSION['SESS_USER_NAME']}'";
	$result = mysql_num_rows($qry);
	if($result < 0) {
		$errmsg_arr[] = 'Current password is not correct';
		$errflag = true;
	}
}

 

Yeah it's a uni project and my lecturer needs to see the passwords in mysql and that they have changed  not sure of anohter way to go about that

[gizmola]

First off, yes you can use mysql_num_rows() or you can change the query to return a count(*) and check that value.  Which you should use depends on what you intend to do with the data you queried.  If you are going to fetch the data from the users table and use that in the script, then doing a SELECT * FROM users makes sense.  If you only care if you find a matching row, then I would do a 'SELECT count(*) as countof FROM...' instead which will always return one row (so long as the query is valid), and which you can then fetch the value and use that in your query.

 

As for passwords,  the best practice is to hash the passwords, using an md5() or sha1() hash.  You would also want to add a salt value to the input, but I think that even if you just sha1() the value, that would be great, considering it's an assignment.

 

The idea of a hash is that it can not be decrypted, so when you save a user row, you save the sha1($password) to the password column.  Then when you are checking you compare with the sha1($password) of the user input.

 

Here's corrections for your code with the sha1() hashing.

 

 

$password = trim($password);
// Make sure they don't just enter a bunch of spaces.
if (!empty($password)) {
                $password = sha1($password);
	$qry= "SELECT * FROM users WHERE password='$password' AND username='{$_SESSION['SESS_USER_NAME']}'";
	$result = mysql_num_rows($qry);
	if ($result 			$errmsg_arr[] = 'Current password is not correct';
		$errflag = true;
	}
} else {
                $errmsg_arr[] = 'Password required';
	$errflag = true;
}