I'm having some problems with this funct开发者_开发问答ion in the next code:
if(!($_SESSION['autenticado']))
if($_POST["user"] && $_POST["pass"])
{
$user=$_POST["user"];
$con=mysql_connect("localhost","root","3270");
mysql_select_db("futbol",$con);
$query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
print_r($query);
mysql_real_escape_string($query);
mysql_query($query)or die mysql_error();
//print_r($pas);
//$_SESSION["autenticado"]=1;
}
Am I using it wrowng?
You need to call mysql_real_escape_string
on the string that needs escaping, not the whole query:
$user = mysql_real_escape_string($user);
$query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
Addendum: if you are just exploring PHP's database integration, I'd urge you to have a look at PDO, which is a far more sophisticated and secure way of handling database operations.
Note also that you're not actually doing anything with mysql_query
. This returns a resource, that you can then use to get information. For example, to get the password returned, use the following:
$result = mysql_query($query);
while ($row = mysql_fetch_assoc($result)) {
$password = $row['us_pass'];
}
To answer your question, you are using it wrong, you want to call the escape function on just the input, not the entire query:
$user = mysql_real_escape_string($user);
That said, mysql_*
functions are deprecated and you should be using either PDO or MySQLi. Here's an example of a much better way to do it, using PDO:
$con = new PDO('mysql:dbname=futbol;host=127.0.0.1', 'root', '3270');
$stmt = $con->prepare('SELECT us_pass FROM user WHERE us_nom = :user');
$stmt->execute(array('user' => $user));
$result = $stmt->fetchAll();
mysql_real_escape_string
Should be escaping $user
before it's inserted in to the SQL query, then passed directly off to mysql_query
. The purpose of this is to avoid $_POST['user']
from having apostrophes in it that could otherwise foul up the query (since your user value is already surrounded in them.
e.g. if $_POST['user']
had joe'bob
as a value, your query would then become:
SELECT us_pass FROM user WHERE us_nom = 'joe'bob'
You can then see how a stray apostrophe could propose a problem.
Instead, try the following:
if(!($_SESSION['autenticado']))
if($_POST["user"] && $_POST["pass"])
{
$con=mysql_connect("localhost","root","3270");
$user=mysql_real_escape_string($_POST["user"]); // escape your value here (and move below connection)
mysql_select_db("futbol",$con);
$query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
print_r($query);
mysql_query($query) or die mysql_error();
//print_r($pas);
//$_SESSION["autenticado"]=1;
// here you would mysql_fetch_array/result/etc. and get what
// was returned from the database
}
Based on your comments to the other answers: You are sending your form using POST
and not GET
right?
The only reasons that you're not seeing anything are your if
conditions not being met, a problem connecting to the database or an error in your php (with errors suppressed); the script does not reach your print_r
statement.
I´m not sure, but you also might want to use {}
for your first if
statement and clean-up your code a bit: I'd recommend isset()
instead of just feeding strings to if
statements.
And check your error log.
精彩评论