SQL error

kwnds · Post by **kwnds** » Thu Mar 22, 2007 6:33 pm

I have on code on php that connect to a mysql database and check if the username and password are correct and that code works fine.
The code of php is this:

Code: Select all

$connect_db 
$banco = mysql_select_db('$bd_name'); 
   
    $username= $_POST['username'];
    $q_user = mysql_query("SELECT * FROM info WHERE username='$username'");
 
    if(mysql_num_rows($q_user) == 1) {
   
        $query = mysql_query("SELECT * FROM info WHERE username='$username'");
        $dados = mysql_fetch_array($query);
        if($_POST['password'] == $dados['password']) {
            session_register("username");

And now i want to creat a tcl code that make the same effect that this does, but, i make /msg eggdrop-name auth username login and he check if its correct or no.
The code of tcl is this:

Code: Select all

bind msg - auth catch:info

proc catch:info {nick uhost hand arg} {
	set username [lindex [split $arg] 0]
	set password [lindex [split $arg] 1]
	set db [mysqlconnect -host www.lusopixel.com -user kwnds -password bmy-password -db kwnds]
	set resultado "SELECT * FROM info WHERE username='$username'"
	set linhas mysql_num_rows($resultado)
	if {$linhas == "0"} {
		putquick "privmsg $nick : Username wrong"
	} else {
		set resultado1 "select * from info where password = '$password'"
		set linhas1 mysql_num_rows($resultado1);

		if {$linhas1 == "0"} {
			putquick "privmsg $nick :Username wrong"
		} else {
			putquick "privmsg $nick :Username and Password correct"
		}
	}
}

But this code isnt working.
The hostname of my database is diferent of the hostname of my shell.
If someone want to try to fix this error, i give the information of the hosting of my database for he try to fix this on PM.
Thanks

De Kus · Post by **De Kus** » Sat Mar 24, 2007 11:13 am

first off, you should hash the passwords in your DB ^-^.

I wonder why you post your PHP SQL query, if you take a little diffrent way to match the passwords. You compare the password in PHP on the script side and in TCL on the SQL side. Also your TCL variant doesn't seem to use proper escaping to prevent SQL injection. In the case you match against a md5 hashed checksum you can forget about SQL injection, because a md5 hash will never be able to have characters you didn't expect

. But beware, PHP and eggdrop might not return the same md5 hash

.

The only guess I have is let you write the content of $_POST to a file and open it with a text editor (try to load the file as binary, not ASCII). Maybe it doesn't contain what you expected it does. It could also be a character encoding/recoding issue. Since POST data can have it's own character encoding it might also not have the same bytes as the bot receives (which simply uses iso-8859-1 with no recoding by default). You can exclude this stuff, if your password consits of only alpha-numeric characters.

kwnds · Post by **kwnds** » Sat Mar 24, 2007 1:04 pm

Where is the error on this code?

Code: Select all

bind msg - auth catch:info

package ifneeded mysqltcl 3.02 [list loadmysqltcl usr\home\dekapa\eggdrops\lib] 

proc catch:info {nick uhost hand arg} {

	set username [lindex [split $arg] 0]
	set password [lindex [split $arg] 1]
	set db_handle [mysqlconnect -host www.lusopixel.com -user kwnds -password my-password -db kwnds_info]
set sql "INSERT INTO info (username, password) VALUES ('$nick','$password)"
set result [mysqlexec $db_handle $sql]
if {$result != 1} {
putlog "SQL - Error"
} else { 
puthelp "PRIVMSG $nick: Username added to db"
}
}

The password will be: a-z. 1-9, _ and -
Thanks

Post by **nml375** » Sat Mar 24, 2007 1:36 pm

Seems like you're missing a ' in this line (right after $password):

Code: Select all

set sql "INSERT INTO info (username, password) VALUES ('$nick','$password)"

kwnds · Post by **kwnds** » Sat Mar 24, 2007 2:20 pm

I had fix that and it keep dont work.
I think that can be of the connection to the database, how can i check if the egg is connecting without errors?