Re: Fwd: Query results

> I am trying to setup a simple databaes authoriztion of users using
> Postgresql 7.2 and PHP 4.1. I have
> included the code below:
>

> <body>
> <?php
> switch($do) {
>
> case "authenticate":
>
> $Host = "localhost";
> $User = "trevor";
> $Password = "";
> $DBName = "users";
> $TableName="users";
>
> $Link = pg_connect("host=$Host dbname=$DBName user=$User")
> or die ("Couldn't
> connect to the database");
>
> $Query = "SELECT id from $TableName where username='$username' and
> password='$password'";
>
> $results = pg_exec($Link, $Query) or die ("Couldn't connect to the
> database");
>
> $num = pg_numrows($results) or die ("Couldn't count rows");
>
> if ($num == 1) {
>
> echo "<P>You are a valid user!<BR>";
> echo "Your user name is $username<BR>";
> echo "Your user password is $password</P>";
>
> }
> else if ($num == 0){
> unset ($do);
> echo "<P>You are not authorized! Please try
> again.</p>";
> include("login_form.inc");
> }
> break;
>
> default:
> include("login_form.inc");
> }
>
> ?>
> </body>
>
> This script works great as long as the name is in the database,
> but if it is
> not then $num has no value and conseqently errors out. Even if
> you use the
> correct firstname and and an incorrect password the pg_numrows errors out.
>
> Any help would be appreciated.

How about:
if ($num >= 1) { valid }
else { invalid }

BTW, be careful with code like this. What will happen when someone enters a
username like "bob'; delete from important_table; select * from users where
username='bob".

PHP may see this as a select query, a delete query, and a select query. Make
sure your permissions in the database are tight, and consider using safe
quoting functions in PHP.

Joel