|
|
Posted by Ivαn Sαnchez Ortega on 05/17/06 22:33
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jessica Parker wrote:
> Try this, I'm not sure if it will help, but it's how I'd do it:
> $password = $_POST['password'];
> $username = $_POST['username'];
> $sql = "SELECT ID FROM login WHERE username='$username' and
> password='$password'";
Bad. This leaves the door open for SQL injection attacks.
Please *do* escape every piece of data that will be put into a SQL query,
like this:
$password = mysql_escape_string($_POST['password']);
$username = mysql_escape_string($_POST['username']);
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
d_goto: if you ever want to access to an array element inside a
double-quoted string, you must put it inside curly braces, like:
$sql = " select foo from foo where username = {$array['username']} ";
Please RTFM about string variables.
- --
- ----------------------------------
IvΓ‘n SΓ‘nchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_eat_s_p_a_m_for_breakfast@hotmail.com
Jabber:ivansanchez@jabber.org ; ivansanchez@kdetalk.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEa3qB3jcQ2mg3Pc8RApSgAKCESaBskkuC1+2UYPV+eRZtTVfdSgCdFq7G
NtDxpIcYIfiN/lWS3PbQr0E=
=HBlW
-----END PGP SIGNATURE-----
Navigation:
[Reply to this message]
|