[Resolved] password() syntax error

cheeks2k

I have a MySQL table with three fields: username, password and name. Password has the 'password' function applied to it.

I've written a password checking script which passes in two variables: $user_name and $pass_word.

When I use the following command:

$sql = "select * from login where username='$user_name'";

it works fine; when I include the password() function, however, it breaks down:

$sql = "select * from login where username='$user_name' and password = password( '$pass_word' )";

I've checked, then checked and checked again but it seems to be fine; what obvious step am I overlooking?

dmrn

Originally posted by cheeks2k
I have a MySQL table with three fields: username, password and name. Password has the 'password' function applied to it.

I've written a password checking script which passes in two variables: $user_name and $pass_word.

When I use the following command:
$sql = "select * from login where username='$user_name'";
it works fine; when I include the password() function, however, it breaks down:
$sql = "select * from login where username='$user_name' and password = password( '$pass_word' )";
I've checked, then checked and checked again but it seems to be fine; what obvious step am I overlooking? [/B]

i think that deals with the problem. But, what password function does?

$sql = "select * from login where username='$user_name' and password =".password( '$pass_word' );

cheeks2k

No, that doesn't seem to have worked. Here is my code in full; $user_name and $pass_word are being passed in by a previous page, and the database table contains the fields name, username and password.

<?php
if ( (!$username) or (!$password) )
{ header("Location:$HTTP_REFERER"); exit(); }

$conn = @mysql_connect("localhost","loginname","password")
or die("Could not connect to database");

$rs = @mysql_select_db("databasename", $conn)
or die("Could not select database");

$sql = "select * from login where username='$user_name' and password =.password( '$pass_word' )";

$rs = mysql_query($sql,$conn)
or die("Could not execute query");

$num = mysql_numrows($rs);

if ($num != 0)
{ $msg = "Welcome, $name, your log-in succeeded."; }
else
{ header("Location:$HTTP_REFERER"); exit(); }
?>

<html>
<head>
	<title>Untitled</title>
</head>

<body>

<?php echo($msg); ?>

</body>
</html>

Can anyone see the problem?

mrhappiness

you have to practive cut&paste...

why do you

die("Could not execute query")

and not

die('<hr />'.$sql.'<hr />'.mysql_error())

please change this and provide us with the new output

cheeks2k

What do you mean, practice cut&paste?
I've changed that line to the one you suggested and here's the output:

You have an error in your SQL syntax near '( 'june' )' at line 1

Which seems to mean that the problem is with calling the password from the table - but I knew that already!

mrhappiness

my code should also echo the sql-statement you use

cheeks2k

After a little experimenting I found two problems - having fixed them both, my code now works.

I put the wrong variable names in the 'if' check - it should have been
```
if ( (!$user_name) or (!$pass_word) )
```
There is no need for a 'dot' in the function() password - it is just
```
password = password( '$pass_word' )
```

Thanks for the help - sometimes just having someone to bounce ideas off is the best help of all!

PurpleMonkey

also you should escape your password so that mySQL is not confused

password( \" $password \" );

mrhappiness

if you use \" or ' doesn't matter