|
| Chetan Graham wrote:
> Greetings to All,
> I am having difficulty in 'md5'ing a $var in a function before it is
> placed into the ("INSERT INTO table...
>
> The whole point is I don't want the MySQL DB logs showing my $var's
> password and username 'before' it is encrypted by MySQL's md5.
>
> When MySQL receives PHP's encrypted $var the log shows query INSERT with
> the 32 bits but it is not inserted into the DB.
>
> MySQL will not accept the $var's in the code that is commented out.
> It shows no errors by the way.
> MySQL accepts what is shown, but this is not as I explained what I want.
> Thanks In Advance,
> Chetan
>
> mysql_query("CREATE TABLE IF NOT EXISTS docproedit (
> id int(11) NOT NULL auto_increment,
> username BLOB NOT NULL default '',
> password BLOB NOT NULL default '',
> TimeEnter timestamp,
> PRIMARY KEY (id)
> )
> ENGINE=MyISAM;")or die('Create Died' . mysql_error());
>
>
> <?php
> $db_server='localhost';
> $db_user='root';
> $db_pass='somepassword';
> $db_name='aims site';
> $tbl_name='docproedit';
> $con = mysql_connect($db_server,$db_user,$db_pa
ss) or die(mysql_error());
> $q=mysql_select_db($db_name, $con) or die(mysql_error());
>
> function addNewUser($username,$password){
> global $q;
> global $tbl_name;
> global $con;
> //$user=md5($username);
> //$pass=md5($password);
> //mysql_query("INSERT INTO $tbl_name
> (username,password)VALUES('$user'),('$pa
ss')");
You need to use mysql_real_escape_string in your queries so things like
' and " get escaped properly.
Otherwise you end up with:
$username = "my 'username";
$password = "my 'password";
insert into table(username, password) values ('my 'username', 'my
'password');
This is called sql injection and you need to check to make sure they are
escaped.
Please read http://phpsec.org/projects/guide/3.html
--
Postgresql & php tutorials
http://www.designmagick.com/
|
|