I’ve made a php login script and it just not works.
my code :
<?php
function clean($str) { /* sanatize strings for databases & security */
$str = trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
if (!empty($_POST['login_admin'])) {
$username = clean($_POST['name']);
$password = clean($_POST['password']);
try {
$dbh = new PDO('mysql:host=localhost;dbname=imedia', "imedia", "imedia");
$statement = $dbh->prepare("SELECT * FROM administratori WHERE username =:username AND parola =:password");
$statement->execute(array(":username" => $username, ":password" => md5($password)));
$row = $statement->fetch();
if ($row) {
session_start("imedia_admin");
$_SESSION['imedia_admin']['logname'] = $row['username'];
$_SESSION['imedia_admin']['password'] = $row['password'];
echo json_encode("success");
} else {
echo json_encode("error");
}
$dbh = null;
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
}
?>
problem is in clean function, if a do not use it, my code works, can anybody explain me what i am doing wrong please ?
PDOwill take care of it (it automatically escapes single quotes or sanitizes it for you). don’t pass the variable with your owncleanfunction.Here’s what’s going on.
hello world's daycleanmakes ithello world''s dayPDOit escapes it again making ithello world''''s dayhello world's daynot equal tohello world''s day