Login security issue

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
User avatar
lazy_yogi
Forum Contributor
Posts: 243
Joined: Fri Jan 24, 2003 3:27 am

Login security issue

Post by lazy_yogi »

If I have a user login and the query is something like

$query = "Select * FROM login WHERE user = \"".$user."\" AND pass = \"".$pass."\"";

How can I stop someone from doing something like user enters
$user = "1';new mysql_query HERE";


Also, any code that other ppl use to login would be helpful too as even though it isn't difficult, I haven't done it before and might as well not re-invent the wheel and make the same mistakes that others have made.

Cheers
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

mysql_escape_string()

it should always be used in any type of user submitted data used in a quer.. And use stripslashes inside of it if magic_quotes_gpc is on, which it is on a lot of hosts

Code: Select all

<?php
 $myquery = "SELECT col1,col2 FROM tble WHERE user='".
     mysql_escape_string(stripslashes($_POST['username']))."' 
   AND password='".
     mysql_escape_string(stripslashes($_POST['password']))."' ");
?>
Post Reply