Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Jun 2005
    Posts
    153
    Thanks
    26
    Thanked 0 Times in 0 Posts

    Submitting with " <-- quotes

    Hello Everyone,

    I have a password field in my form. If you enter in any " or ' the data contains \" and \'. So my password will change from a'b"c to a\'b\"c. That's great except it's not the right password. I tried to remove the slashes with strpos() and substr(). Forcing characters back in...

    Is there an easier way to do this? (Considering my atempt at parsing the password didn't work anyway)

    -questionable

  • #2
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    you need to parse your password before storing it into mysql database, and then have a way to check weather input password is same as password you get for the selected username.
    it really doesn't matter weather it has \ for special characters.

  • #3
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    Use sha1() or similar to store the password as a hash in the database, and then check it against a hash of the form's password field when they login. Also, if your host has magic_quotes on you can use stripslashes() to remove them before trying to use the password(s).

  • Users who have thanked Inigoesdr for this post:

    questionable (11-04-2007)

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I use this function when escaping data
    Code:
    function escape_data ($data)
    {
    	global $dbc; // need the connection.
    	if(ini_get('magic_quotes_gpc'))
    	{
    		$data = stripslashes($data);
    	}
    	return mysql_real_escape_string($data, $dbc);
    }
    Where $dbc is the mysql_connect statement.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • Users who have thanked _Aerospace_Eng_ for this post:

    questionable (11-04-2007)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •