Posted by Andy Jeffries on 05/17/06 23:21

On Wed, 17 May 2006 21:33:17 +0200, Iván Sánchez Ortega wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jessica Parker wrote:
>
>> Try this, I'm not sure if it will help, but it's how I'd do it:
>> $password = $_POST['password'];
>> $username = $_POST['username'];
>> $sql = "SELECT ID FROM login WHERE username='$username' and
>> password='$password'";
>
> Bad. This leaves the door open for SQL injection attacks.
>
> Please *do* escape every piece of data that will be put into a SQL query,
> like this:
>
> $password = mysql_escape_string($_POST['password']); $username =
> mysql_escape_string($_POST['username']); $sql = "SELECT ID FROM login
> WHERE username='$username' and password='$password'";

Also though, be advised it's probably a bad idea to write new code using
*deprecated functions*:

http://uk.php.net/mysql_escape_string
This function is deprecated

Instead use:

http://uk.php.net/mysql_real_escape_string

Cheers,


Andy



--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

• Next in forum: Re: why won't this work?
• Prev in forum: Re: Variable Variables in Classes
• Thread view: Re: why won't this work?

[Reply to this message]