On a very quick inspection, you might want to ensure that only one row is retrieved also from the database (assuming that the username is unique) using something like

if (mysql_num_rows($result) == 0)

Cheers, Bryson

----- Original Message -----
From: "ross.jardine@eq.e..." <rjard2@eq.e...>
Date: Tuesday, March 4, 2008 1:36 pm
Subject: [qsite-ipt_qsite_edu_au] php and sql help
To: qsite-ipt@qsit...

> Hi all,
>
> An student was creating a log in page for a jokes db. The user
> and password
> is stored in a table. I haven't done too much of this type of
> programmingbefore so I am asking for the "correct way". My ideas
> and the students are
> below. I know there may be many ways to do this but any pointers
> on the
> wider issues in a programming such as security would be
> appreciated. I was
> also thinking of "isset" or ! For checking what mysql_query()
> returns but am
> have not been successful.
>
> Thanks
>
> Ross
>
> My idea:
> <?php
> include ("conn.php");
> mysql_select_db("dbjokes", $con);
> $sql = "SELECT username, email  FROM tblusers
>            
> WHERE username ='$_POST[username]' AND password =
> '$_POST[password]'";
> if (mysql_query($sql,$con))
>   {
>   echo "Logged in ";
> ...blah blah
>   }
> else
>   {
>   echo "access denied";
>   }
> ?>
>
> Students own code
>
> <?php
> //includes the connection file.
> include ("conn.php");
>
> //construct the sql query...
>
> mysql_select_db("dbjokes", $con);
>
> $result = mysql_query("SELECT * FROM tblusers");
>
> while($row = mysql_fetch_array($result)) //[whilst there are
> rows left in
> the table, echo it to the screen.
>   {
>    if (($_POST['username'] == $row['username']) &&
> ($_POST['password']== $row['password']))
> {
> echo "Welcome" . " " . $row['username'];
> $joke_result = mysql_query("SELECT * FROM tbljokes");
> echo "<table border = 1 >
>                    <tr>
>                          <td> Joke ID</td>
>                          <td> User Name</td>
>                          <td> Date</td>
>                          <td> Joke </td>
>                  </tr>";
>                  while($joke_row = mysql_fetch_array($joke_result))
> //[whilst there are rows left in the table, echo it to the screen.
>                           {
>                                  echo "<tr>";
>                                  echo         "<td>"
> .$joke_row['joke_id']. "</td>";
>                                  echo         "<td>"
> .$joke_row['username'] ."</td>";
>                                  echo         "<td>"
> .$joke_row['date']. "</td>";
>                                  echo         "<td>"
> .$joke_row['joke']. "</td>";
>                                  echo "</tr>";
>                                  }
>                                      echo "</table>";
> }
>  
>  }
>  
>    "Back to login";
>   echo "<br />";
> mysql_close($con);
> ?>
>
> ##########################
> Mr R Jardine
> HOD Business/IT
> Toolooa SHS
> www.toolooashs.eq.edu.au
> GLADSTONE QLD 4680
> Ph: +61-7-49714333
> Fax: +61-7-49714300
>
>
> ---
> QSITE-IPT: http://www.groups.edna.edu.au/course/view.php?id=489 -
> The IPT Learning Community.
> You are currently subscribed to qsite-ipt_qsite_edu_au as:
> wstan1@eq.e... unsubscribe send a blank email to leave-qsite-
> ipt_qsite_edu_au-431074F@list...
>

______________________________
Bryson Stansfield
Head of Faculty - Learning Technology
Pine Rivers State High School
Ash Court, Strathpine 4500

p 07 3881 4793
f 07 3881 4777
e wstan1@eq.e...

"Logic can take you from A to B, but imagination can take you anywhere"


---
QSITE-IPT: http://www.groups.edna.edu.au/course/view.php?id=489 - The IPT Learning Community.
You are currently subscribed to qsite-ipt_qsite_edu_au as: subscriber@open...
To unsubscribe send a blank email to leave-qsite-ipt_qsite_edu_au-504578D@list...