View Single Post
Old 05-03-07, 02:51 PM   #7
evilghost
Registered User
 
Join Date: Jul 2005
Posts: 3,606
Default Re: Need a non-functional PHP login box

I know this is an older thread but I wanted to comment on the t3hl33td4rg0n's excellent example. All is fine, however, it is is strongly recommended that you use the mysql_escape_string(); function to properly sanitize user-input to avoid SQL injection.

In his example, the below code:

Code:
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.$_POST['username'].'` AND `pass` = `'.md5($_POST['password']).'`';
Should become:
Code:
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.mysql_escape_string($_POST['username']).'` AND `pass` = `'.md5($_POST['password']).'`';
This will prevent SQL injection, else, SQL injection could occur.
evilghost is offline   Reply With Quote