No that is not what we mean, we mean something like:
Code: Select all
$admin = 0;
mysql_query("INSERT INTO `users` (`username`, `password`, `admin`) VALUES ('$username', '$password', '$admin')");
Someone could set admin to 1 by sending this as their password:
Put that in place of $password and you'll see what I mean, that is called SQL injection and we have already discussed that in this thread. In case you're wondering the -- tells mysql to ignore the rest of the query. mysql_real_escape_string would have replaced the quote after foobar with a \' which tells mysql that the quote is to be part of the password itself.
Also you should have a limit on the username length in addition to this, as you can see this exploit is less then 25 characters and gives the attacker admin access