[Wylug-help] LAMP: form vars not passed to php script
Smylers@stripey.com
Smylers at stripey.com
Wed, 8 Jan 2003 15:47:14 -0500 (EST)
On Wed, 8 Jan 2003 mikeb@gbdirect.co.uk wrote:
> On Wed, Jan 08, 2003 at 01:03:35PM +0000, Andy Macdonald wrote:
>
> > $query = "SELECT userId, userName, userPass from users WHERE userName =
> > $_REQUEST['frmuser'] AND userPass = MD5($_REQUEST['frmpass'])";
>
> Sadly, you can't interpolate arrays in strings like that.
>
> You would have to use:
> $query = "SELECT userId, userName, userPass from users WHERE
> userName =" . $_REQUEST['frmuser'] .
> " AND userPass = MD5(" . $_REQUEST['frmpass']. ")"
>
> I.e. doing your own interpolation by string-pasting instead,
> at least that's what I believe without actually trying it in
> practice.
You _can_ get PHP to interpolate array element values (even if nested):
you have to put the variable in braces. However function calls still need
to be made outside strings, so the username can stay in the string but the
password needs to be encrypted out of the string, like so:
$query = "SELECT userId, userName, userPass from users WHERE userName =
{$_REQUEST['frmuser']} AND userPass = " . MD5($_REQUEST['frmpass']);
Note that that will generate a string whose contents is something along
the lines of:
SELECT userId, userName, userPass fom users WHERE userName =
lizzy AND userPass = 8DEB0B6EDD59826EDA7BF2C11B4A6566
I'd expect that to be a syntax error if typed as a query into a database's
prompt. Strings tend to need quoting, so the query probably should be:
SELECT userId, userName, userPass fom users WHERE userName =
'lizzy' AND userPass = '8DEB0B6EDD59826EDA7BF2C11B4A6566'
It's no different when passing SQL from PHP: the DB still needs strings to
be quoted. Something like this should do it:
$md5_passwd = MD5($_REQUEST['frmpass']);
$query = "SELECT userId, userName, userPass from users WHERE userName =
'{$_REQUEST['frmuser']}' AND userPass = '$md5_passwd'";
Good luck.
Smylers