is there any possible way to get around this?
i've tried a few things and i think its pretty secure.
it's a mysql server and listingId is an id that's emailed to them
when they create an account.
if($listingId == "" || $password == "") {
header('location: login.php?error=1') ;
break ;
}
include('dbInfoWeb.php') ;
$fndSql = "SELECT * FROM listings WHERE listingId = '" . $listingId . "' " ;
# Note it does not compare the password in the SQL query
$row = mysql_fetch_array($fndSql);
if(mysql_num_rows($fndSql) == 0) {
header('location: login.php?error=1') ;
mysql_close() ;
break ;
}
$fndPassword = $row['password'] ;
if($fndPassword != $password) {
header('location: login.php?error=1') ;
mysql_close() ;
exit;
}else{
setcookie("listingId", $listingId) ;
header('location: accountHome.php') ;
}
$fndSql = mysql_query("SELECT * FROM listings WHERE listingId = '" . $listingId . "'" );
i've tried a few things and i think its pretty secure.
it's a mysql server and listingId is an id that's emailed to them
when they create an account.
if($listingId == "" || $password == "") {
header('location: login.php?error=1') ;
break ;
}
include('dbInfoWeb.php') ;
$fndSql = "SELECT * FROM listings WHERE listingId = '" . $listingId . "' " ;
# Note it does not compare the password in the SQL query
$row = mysql_fetch_array($fndSql);
if(mysql_num_rows($fndSql) == 0) {
header('location: login.php?error=1') ;
mysql_close() ;
break ;
}
$fndPassword = $row['password'] ;
if($fndPassword != $password) {
header('location: login.php?error=1') ;
mysql_close() ;
exit;
}else{
setcookie("listingId", $listingId) ;
header('location: accountHome.php') ;
}
$fndSql = mysql_query("SELECT * FROM listings WHERE listingId = '" . $listingId . "'" );