Reply to Re: why won't this work? — PHP Programming Language

Posted by Iv�n S�nchez Ortega on 05/17/06 22:33

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jessica Parker wrote:

> Try this, I'm not sure if it will help, but it's how I'd do it:
> $password = $_POST['password'];
> $username = $_POST['username'];
> $sql = "SELECT ID FROM login WHERE username='$username' and
> password='$password'";

Bad. This leaves the door open for SQL injection attacks.

Please *do* escape every piece of data that will be put into a SQL query,
like this:

$password = mysql_escape_string($_POST['password']);
$username = mysql_escape_string($_POST['username']);
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";

d_goto: if you ever want to access to an array element inside a
double-quoted string, you must put it inside curly braces, like:

$sql = " select foo from foo where username = {$array['username']} ";

Please RTFM about string variables.

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_eat_s_p_a_m_for_breakfast@hotmail.com
Jabber:ivansanchez@jabber.org ; ivansanchez@kdetalk.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEa3qB3jcQ2mg3Pc8RApSgAKCESaBskkuC1+2UYPV+eRZtTVfdSgCdFq7G
NtDxpIcYIfiN/lWS3PbQr0E=
=HBlW
-----END PGP SIGNATURE-----

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация