Re: Fwd: Query results

> I am trying to setup a simple databaes authoriztion of users using
> Postgresql 7.2 and PHP 4.1.  I have
> included the code below:
>

> <body>
> <?php
> switch($do) {
>
>     case "authenticate":
>
>     $Host = "localhost";
>     $User = "trevor";
>     $Password = "";
>     $DBName = "users";
>     $TableName="users";
>
>     $Link = pg_connect("host=$Host dbname=$DBName user=$User")
> or die ("Couldn't
> connect to the database");
>
>     $Query = "SELECT  id from $TableName where username='$username' and
> password='$password'";
>
>     $results = pg_exec($Link, $Query) or die ("Couldn't connect to the
> database");
>
>     $num = pg_numrows($results) or die ("Couldn't count rows");
>
>     if ($num == 1) {
>
>     echo "<P>You are a valid user!<BR>";
>     echo "Your user name is $username<BR>";
>     echo "Your user password is $password</P>";
>
>     }
>         else if ($num == 0){
>             unset ($do);
>             echo "<P>You are not authorized! Please try
> again.</p>";
>             include("login_form.inc");
>     }
>     break;
>
>     default:
>     include("login_form.inc");
> }
>
> ?>
> </body>
>
> This script works great as long as the name is in the database,
> but if it is
> not then $num has no value and conseqently errors out.  Even if
> you use the
> correct firstname and and an incorrect password the pg_numrows errors out.
>
> Any help would be appreciated.

How about:
  if ($num >= 1) { valid }
  else { invalid }

BTW, be careful with code like this. What will happen when someone enters a
username like "bob'; delete from important_table; select * from users where
username='bob".

PHP may see this as a select query, a delete query, and a select query. Make
sure your permissions in the database are tight, and consider using safe
quoting functions in PHP.

Joel