Slashes

klik

Okay I have a login script. I have managed to enter the data into the database with slashes before apostrophes, however when the user tries to login a few errors come up on the page.

$username = addslashes($username);
echo $username;

/* Collect variables from db */

$email = mysql_query("SELECT email FROM cms_users WHERE username = '$username'");
$email = mysql_result($email, 0);

This is returning an error, although when I echo $username it outputs user/'s and a value in the database for username is user/'s

So I'm not sure why it's returning an error.

leatherback

What is the error you are getting?

klik

I've changed it now slightly. No errors but when i echo $username it displays user\\'s

I have no idea why it's inserting 3 slashes instead of one.

Here's the whole code:

function login_results()
{

/* Convert to simple variables */

$username = $_POST['username'];
$password = $_POST['password'];

/* END Convert to simple variables */


/* Let's add slashes and strip all tags */

	$username = strip_tags($username);
	$password = strip_tags($password);  
	$username = addslashes($username);
	$password = addslashes($password);

/* END Let's add slashes and strip all tags */



/* Validation of input */

if((!$username) || (!$password)){
    echo '<font color="#FF3300">Please enter ALL of the information!</font>';
return false;
}

/* END Validation of input */


$password2 = MD5($password);


echo $username;

/* Check if the user info validates the db */

$sql = mysql_query("SELECT * FROM cms_users WHERE username='$username' AND password='$password2'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql))
	{

/* END Check if the user info validates the db */



/* Collect variables from db */

$email = mysql_query("SELECT email FROM cms_users WHERE username = '$username'");
$email = mysql_result($email, 0);

$user_id = mysql_query("SELECT user_id FROM cms_users WHERE username = '$username'");
$user_id = mysql_result($user_id, 0);

$user_level = mysql_query("SELECT user_level FROM cms_users WHERE username = '$username'");
$user_level = mysql_result($user_level, 0);

/* END Collect variables from db */



/* Update last login date */

mysql_query("UPDATE cms_users SET last_login=now() WHERE username='$username'");

/* END Update last login date */




/* Method to only update points on a per hour basis */

    mysql_query("UPDATE cms_users SET user_points = user_points+1 WHERE username= '$username' AND  point_interval < NOW()- 3600");

    mysql_query("UPDATE cms_users SET point_interval = now() WHERE username='$username'");

/* END Method to only update points on a per hour basis */



/* Register some session variables */

$_SESSION['username'] = $username;

/* END Register some session variables */



}

}else {
		echo '<font color="#FF3300">Invalid Login</font>';
		return false;
	}


}

leatherback

Hi,

If I am correct, the posted variables get slashes added already in some caases. I wrote a snippet for trapping this, a while ago. Hope it helps:


function encode($text)  // Will add slashes and HTML linebreaks to variables submitted by user
  {
  if (!get_magic_quotes_gpc()) 
     {
     $uittext = addslashes($text);
     }
  else 
     {
     $uittext = $text;
     }
  return $uittext;
  }

klik

Thanks for that function.

I have echoed the $username value to the screen and it displays the username

user/'s

There is a value in the database where username is equal to user/'s

Unfortunately, it still will not login and gives me an invalid login message.

My updated code is shown below:

function login_results()
{

/* Convert to simple variables */

$username = $_POST['username'];
$password = $_POST['password'];

/* END Convert to simple variables */


/* Let's strip all HTML and avoid encapsulated letters */

	$username = strip_tags($username);
//$username = encode($username);

	$password = strip_tags($password);
//$password = encode($password);

/* END Let's strip all HTML and avoid encapsulated letters */



/* Validation of input */

if((!$username) || (!$password)){
    echo '<font color="#FF3300">Please enter ALL of the information!</font>';
return false;
}

/* END Validation of input */


$password2 = MD5($password);


/* Check if the user info validates the db */

echo $username;

$sql = mysql_query("SELECT * FROM cms_users WHERE username='$username' AND password='$password2'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql))
	{

/* END Check if the user info validates the db */



/* Collect variables from db */

$email = mysql_query("SELECT email FROM cms_users WHERE username = '$username'");
$email = mysql_result($email, 0);

$user_id = mysql_query("SELECT user_id FROM cms_users WHERE username = '$username'");
$user_id = mysql_result($user_id, 0);

$user_level = mysql_query("SELECT user_level FROM cms_users WHERE username = '$username'");
$user_level = mysql_result($user_level, 0);

/* END Collect variables from db */



/* Update last login date */

mysql_query("UPDATE cms_users SET last_login=now() WHERE username='$username'");

/* END Update last login date */




/* Method to only update points on a per hour basis */

    mysql_query("UPDATE cms_users SET user_points = user_points+1 WHERE username= '$username' AND  point_interval < NOW()- 3600");

    mysql_query("UPDATE cms_users SET point_interval = now() WHERE username='$username'");

/* END Method to only update points on a per hour basis */



/* Register some session variables */

$username = encode($username);

$_SESSION['username'] = $username;

/* END Register some session variables */



}

}else {
		echo '<font color="#FF3300">Invalid Login</font>';
		return false;
	}


}

kburger

My guess would be that magic_quotes is ON for your server. Which means that form input data like user's will automatically be converted to user\'s. Then when you addslashes() to it it escapes both the \ and the ', turning it into user\\'s. The function get_magic_quotes_gpc() can be used to check for this.