Page 1 of 1

Login security issue

Posted: Tue Mar 18, 2003 2:31 am
by lazy_yogi
If I have a user login and the query is something like

$query = "Select * FROM login WHERE user = \"".$user."\" AND pass = \"".$pass."\"";

How can I stop someone from doing something like user enters
$user = "1';new mysql_query HERE";


Also, any code that other ppl use to login would be helpful too as even though it isn't difficult, I haven't done it before and might as well not re-invent the wheel and make the same mistakes that others have made.

Cheers

Posted: Tue Mar 18, 2003 8:42 am
by Stoker
mysql_escape_string()

it should always be used in any type of user submitted data used in a quer.. And use stripslashes inside of it if magic_quotes_gpc is on, which it is on a lot of hosts

Code: Select all

<?php
 $myquery = "SELECT col1,col2 FROM tble WHERE user='".
     mysql_escape_string(stripslashes($_POST['username']))."' 
   AND password='".
     mysql_escape_string(stripslashes($_POST['password']))."' ");
?>