If I have a user login and the query is something like
$query = "Select * FROM login WHERE user = \"".$user."\" AND pass = \"".$pass."\"";
How can I stop someone from doing something like user enters
$user = "1';new mysql_query HERE";
Also, any code that other ppl use to login would be helpful too as even though it isn't difficult, I haven't done it before and might as well not re-invent the wheel and make the same mistakes that others have made.
Cheers
Login security issue
Moderator: General Moderators
mysql_escape_string()
it should always be used in any type of user submitted data used in a quer.. And use stripslashes inside of it if magic_quotes_gpc is on, which it is on a lot of hosts
it should always be used in any type of user submitted data used in a quer.. And use stripslashes inside of it if magic_quotes_gpc is on, which it is on a lot of hosts
Code: Select all
<?php
$myquery = "SELECT col1,col2 FROM tble WHERE user='".
mysql_escape_string(stripslashes($_POST['username']))."'
AND password='".
mysql_escape_string(stripslashes($_POST['password']))."' ");
?>