Sql injection
Posted: Thu Feb 18, 2010 11:04 pm
hi all
I come from Indonesia, I'm sorry if I'm not english fluent
I was new in php
I want to ask, what this information can inject?
//login form
<div id="loginform">
<form method= "post" action="cheklogin.php" name="form1">
<label for="username"> Username:</label>
<input type="text" name="myusername" id="username" />
<label for="password"> Password:</label>
<input type="password" name="mypassword" id="password" />
<input type="submit" name="submit" value="login" />
</form>
//cheklogin.php
<?
$host = "localhost";
$username= "root";
$password= "";
$db_name = "mydb";
$tbl_name ="admin";
mysql_connect ($host, $username, $password) or ("can't connect");
mysql_select_db ($db_name) or die (mysql_error());
$myusername= $_POST['myusername'];
$password= $_POST['mypassword'];
$sql = "select * from $tbl_name where username='$myusername' and password='$mypassword' ";
$result = mysql_query ($sql);
$count = mysql_num_rows ($result);
if ($count==1) {
session_register("myusername");
session_register("mypassword");
header ("location:login_success.php");
}
else {
echo "wrong password";
}
?>
inject how to prevent?
and how to inject login above?
please help me, I was confused when someone break my website
I want to know how he broke my website
I come from Indonesia, I'm sorry if I'm not english fluent
I was new in php
I want to ask, what this information can inject?
//login form
<div id="loginform">
<form method= "post" action="cheklogin.php" name="form1">
<label for="username"> Username:</label>
<input type="text" name="myusername" id="username" />
<label for="password"> Password:</label>
<input type="password" name="mypassword" id="password" />
<input type="submit" name="submit" value="login" />
</form>
//cheklogin.php
<?
$host = "localhost";
$username= "root";
$password= "";
$db_name = "mydb";
$tbl_name ="admin";
mysql_connect ($host, $username, $password) or ("can't connect");
mysql_select_db ($db_name) or die (mysql_error());
$myusername= $_POST['myusername'];
$password= $_POST['mypassword'];
$sql = "select * from $tbl_name where username='$myusername' and password='$mypassword' ";
$result = mysql_query ($sql);
$count = mysql_num_rows ($result);
if ($count==1) {
session_register("myusername");
session_register("mypassword");
header ("location:login_success.php");
}
else {
echo "wrong password";
}
?>
inject how to prevent?
and how to inject login above?
please help me, I was confused when someone break my website
I want to know how he broke my website