$_POST question from newb

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi everyone,
I have a question about using this variable.  I am new to programming and I
had a book that was a couple of years old regarding php programming.  None
of the examples were working correctly, until I discovered that my new
version of PHP 4.4 disabled global variables.  I figured out how to make
the following php script work correctly, but I don't know if the way I made
it work is the accepted way of doing things with  $_POST. I created new
variables in the php script. If anyone could take a look at the following
html and php script, and let me know if this is the right way of doing it
or if there is a better way, I would greatly appreciate it.  Thanks in
advance.   pete

    <title>Mailman Login Window</title>

<body bgcolor="white">
<TABLE cellspacing=1 cellPadding=1 align=center>
    <P align=center>Welcome to the<br>&nbsp;</p.</td>

    <H2 align=center>Mailing List</H2></td>
    <p align=center>Web Application</p></td>
Please provide the requested information:
<FORM action=trylogon.php method=post>
<TABLE border=1 align=center cellspacing=2 cellPadding=6>
    <td>Enter User Name:</td>

    <td><INPUT size=15 name=username></td>
    <td>Enter Password:</td>
    <td><INPUT type=password size=15 name=password></td>
         <P align=center><INPUT type=submit value=Login name=submit></p></td>

         <P align=center><INPUT type=reset value=Clear></P></td>


$connection = mysql_connect("localhost","user","password");

$db = "mailman";

mysql_select_db($db,$connection) or die("Could not open $db");

$username =  ($_POST['username']);
$password =  ($_POST['password']);
$sql = "Select * from users where username = '$username' and password =

$result = mysql_query($sql,$connection) or die("Could not execute sql:

$num_rows = mysql_num_rows($result);

if ($num_rows > 0 ) {
    header("Location: mailman_main.php");
}else  {
    header("Location: failedlogon.html");


Re: $_POST question from newb

Following on from Pete Horm's message. . .
Quoted text here. Click to load it

A few random observations:
1 -  Well done.  If you've never programmed before - excellent.  You  
have achieved a great deal (probably a lot more than you realise) with a  
small amount of code.

2 - You will learn a great deal from browsing the manual - either the  
on-line version or the downloaded version to browse at your leisure.

3 - You will also discover the existence of naughty people who don't use  
your code 'like wot they ought'.  There are two ways to do this: Either  
by getting wise to the common methods of hacking PHP/SQL pages or not  
getting wise to them.  For example follow step 2 above and look for "SQL  
Injection" (Hint: Now!)

4 - Debugging PHP is not the easiest thing in the world.  You might find  
print_r() being used a bit.  Find out what you can about PHP Gotchas.

5 - There are plenty of web resources for PHP.  Browse, surf, download  
and study.  You might use this NG for pointers to PHP+MySQL+Server  
knowledge but we won't be rewriting your code unless we're exceptionally  
bored.  (Since there are as many wrong ways to write code as there are  
right ways it's a bit of a lottery anyway.)

6 - Once you've dealt with item 3 your next challenge will be Sessions.  
Some people never have a problem, others find it a struggle. If I were  
you I'd play with some small test pages. Lots of print_r()s ahead!

7 - WRT your code :
Quoted text here. Click to load it
I'd (a) test for what I came for not just 'something'
(b) Have hashed using say MD5 the p/w
(c) Not used an underscore in a page name

PETER FOX Not the same since the bra business went bust
2 Tees Close, Witham, Essex.
Gravity beer in Essex  <http://www.eminent.demon.co.uk

Thank you Peter (was: $_POST question from newb)

Hi Peter,
Thank you very much for replying to my question.  I greatly appreciate the
advice.  Have a great day.


Re: $_POST question from newb

Quoted text here. Click to load it

<snip the HTML which looks pretty much OK>

 Basically the PHP is using $_POST correctly, but it's missing error handling
and has a major security hole:
Quoted text here. Click to load it

 Whenever you make mysql_* calls you should check the return value; you've done
this in the mysql_select_db below but not here.

Quoted text here. Click to load it

 mysql_error() can give more informative error messages, although it's up to
you whether you want to send the raw MySQL error message to the user or not.

Quoted text here. Click to load it

 The brackets aren't necessary, but don't do any harm.

Quoted text here. Click to load it

 Serious trouble here - do a search for "sql injection attacks".

 If $password contains quotes, then this will cause an error in the SQL. From
there, you can start putting in specific values that change the condition in
the SQL, for example you could send:

'' or 'x'='x

 ... as password, which results in:

Select * from users where username = 'username' and password = '' or 'x'='x'

 This will return all the data in the table, so the page can be tricked in this
way to thinking it's got a valid login, when actually it hasn't.

 Use mysql_escape_string() on all values before they get put into SQL.

 Another approach is to use a database abstraction library, my favourite being
ADOdb (http://adodb.sourceforge.net ), which can take away the worry of having
to remember to escape values. You can then write statements like:

$result = $db->Execute(
    'select * from users where username = ? and password = ?',
    array($username, $password)

 The library then handles whatever is required to get the values into the
database, substituting the "?" placeholders with values that are escaped and
quoted if necessary (or other databases, such as Oracle, bind values separately
to running the statement), which makes avoiding SQL injection attacks much

Quoted text here. Click to load it

 You ought to fetch the row and check it matches at least the username you
supplied, and if $num_rows > 1 that'd be suspicious.

Quoted text here. Click to load it

 Location headers have to go to absolute URLs, e.g.

 Relative URLs aren't allowed in the HTTP specifications, although most
browsers correct for this common mistake.

Quoted text here. Click to load it

Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

Re: $_POST question from newb

Just wanted to thank you Peter and Andy for responding.  I really
appreciate the good advice that you gave.  


Site Timeline