dongqiaochi2711
2011-11-11 02:21 阅读 47
已采纳

用$ _POST变量连接Db字段php / mysql

HTML

  <form style="margin:5px 0;" action="#" method="post"> 
                Buyer <input type="radio" name="addType" value="Buyer" />
                &nbsp;&nbsp;Merchant <input type="radio" name="addType" value="Merchant" />
            </form>
            <form id="NewBuyerRegHp" method="post" action="check.php">
                Username or Email: <input type="text" name="userOrEmail" class="UserLogin" value="Username" onFocus="clearText(this)" /> <br />
                Password: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="password" name="userPass" class="UserLogin" value="Password" onFocus="clearText(this)"  /> <br />
                <input type="submit" name="SubmitNewBuyerHp" value="Secure Login" />
            </form>

PHP

require_once('../inc/db/dbc.php');

$entPass =  $_POST['userPass']; #entered password by user.
$SaltyPass = hash('sha512',$dynamSalt.$escapedInputtedPass); #more secure pass with dynam salt using SHA512 Hashing

$NewUserLoginCheck = mysql_query("SELECT uUName, uEmail, uUPass, dynamSalt FROM User WHERE uUName OR  uEmail = '".mysql_real_escape_string($_POST['userOrEmail'])."' AND uUPass = '".mysql_real_escape_string($_POST['userPass'])."'    ")or die(mysql_error());

How do I concatenate the inputted user pass with mysql_real_escape_string($_POST['userPass']) with the dynamSalt field?? I want to combination of mysql_real_escape_string($_POST['userPass']) . dynamSalt but I can't use the dynamSalt until its accessed in the SQL statement?

How would I go about doing this?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

2条回答 默认 最新

  • 已采纳
    duanruoyu6675 duanruoyu6675 2011-11-11 02:40

    Try this

    require_once('../inc/db/dbc.php');
    
    //$entPass =  $_POST['userPass']; #entered password by user.
    //$SaltyPass = hash('sha512',$dynamSalt.$escapedInputtedPass); #more secure pass with dynam salt using SHA512 Hashing
    
    $NewUserLoginCheck = mysql_query("SELECT uUName, uEmail, uUPass, dynamSalt FROM User WHERE uUName OR  uEmail = '".mysql_real_escape_string($_POST['userOrEmail'])."' AND uUPass = sha2(concat(dynamSalt, '".mysql_real_escape_string($_POST['userPass'])."'), 512)    ")or die(mysql_error());
    
    点赞 评论 复制链接分享
  • douyi1341 douyi1341 2011-11-11 04:51

    I personally am not a fan of concat or escaping strings in the middle of a query. If possible it is best (imo) to do everything pre-query. That way your query is easily readable, and your can perform more checks on the user input easier like running through functions and such.

    点赞 评论 复制链接分享

相关推荐