|
|
Posted by Geoff Berrow on 03/30/07 09:53
Message-ID: <memo.20070330102052.1440B@rafecupl.merula.co.uk> from Rafe
Culpin contained the following:
>> The process is to take the supplied username and password and do a
>> database query to see if there is a row containing that combination. Of
>> course, this presupposes that you ensured that the combination was
>> unique before storing in the database. If a row is found the log in is
>> successful.
>
>*IMPORTANT*
>Before doing this and putting it on a public site, google "SQL injection
>attack" (with quotes) and make sure you understand the implications and
>have guarded against them. If you do not do this an attacker can run
>arbitrary SQL commands on your database.
Quite, I only intended to give an overview. No user input should be
trusted. The use of mysql_real_escape_string is now second nature to me
and I forgot to mention it.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Navigation:
[Reply to this message]
|