Posted by knal on 01/05/07 13:47

I'm aware of the SQL-injection danger. But by using
mysql_real_escape_string() in all queries (on wich the visitor has any
influence) i should be safe AFAIK ...

Thanks for the mention.

On Jan 5, 2:27 pm, nos...@see.sig.to.reply (Rafe Culpin) wrote:
> In article <1168002079.875499.106...@v33g2000cwv.googlegroups.com>,
>
> knalp...@gmail.com (knal) wrote:
> > Users, passes etc. would "have to be" in a MySQL DB, since i don't want
> > to manually add every new member to a .htaccess file.In that case one thing you *must* block is a "sql injection attack". If
> you don't already know about this please google for it, there's a lot of
> information out there.
>
> Almost every example login script ignores it. It can give an attacker
> complete control of your database, and in extreme cases the ability to run
> arbitrary system commands.
>
> --
> To reply email rafe, at the address cix co uk

• Next in forum: Re: Encrypting Passwords
• Prev in forum: Re: Suggestions for best practice: mysql vs array sorting
• Thread view: Re: Secure login tutorial

[Reply to this message]