views:

25

answers:

1

Hello,

I am making a login form on my site, and need a little bit of help. I keep receiving an error when I use this script:

<?php

$em = $_REQUEST["email"];
$pa = md5($_REQUEST["password"]);

//connectioninfo hidden   

$connectionInfo = array( "UID"=>$uid,                              
                         "PWD"=>$pwd,                              
                         "Database"=>$databaseName);
$conn = sqlsrv_connect( $serverName, $connectionInfo);

$tsql = "SELECT email, password FROM users WHERE email = $em AND password = $pa";

$stmt = sqlsrv_query( $conn, $tsql);    

if($stmt)
{
    $ot =
    "Hi, " . $em;
}
else
{
  $ot =
  "<p>Oh, no! My Account is currently unavailable right now, please try again later.</p>";
}

?>

The error I keep getting is:

Oh, no! My Account is currently unavailable right now, please try again later.

Can someone please hel me understand why it is not displaying the Hi, $em message when I login ,and how I may go about fixing it.

Also, just to get this out of the way, yes, I am using the correct login details. :)

Thanks jase

+2  A: 

You have several issues:

  1. You're using REQUEST instead of POST. You really should use POST.
  2. Your code is vulnerable to SQL injection: http://php.net/manual/en/security.database.sql-injection.php
  3. You have no quotes around your string literals, which is likely causing your problem.
Thomas O
All of my other select, update and insert scripts that i wrote work on other pages... So I don't understand how this one isn't. It doesn't make any sense. I have tried using POST before, as recommended by somebody else, a while ago, but I was getting undesired results.
lucifer
What 'undesired' results? POST is used mostly for form data. GET is for the data in the URL. The problem with GET for a login form is that anyone glancing over your sholder can see the variables you logged in with. REQUEST combines both POST and GET. Make sure your form's method is "post" (lowercase.) Also, be careful to make sure register_globals is off.
Thomas O
I have confirmed that register_globals is off, I am using 'post', and thanks, I will take your advice on board.
lucifer
Quotes aren't the issue. Quotes give be "Unexpected T_..." errors.
lucifer
That is because you are not escaping the quotes. Instead of writing "SELECT * FROM something WHERE value="something"" (which confuses the PHP parser) you need to write "SELECT * FROM something WHERE value=\"something\"" and be careful to escape your inputs.
Thomas O