Originally Posted by evilghost
I know this is an older thread but I wanted to comment on the t3hl33td4rg0n's excellent example. All is fine, however, it is is strongly
recommended that you use the mysql_escape_string(); function to properly sanitize user-input to avoid SQL injection.
In his example, the below code:
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.$_POST['username'].'` AND `pass` = `'.md5($_POST['password']).'`';
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.mysql_escape_string($_POST['username']).'` AND `pass` = `'.md5($_POST['password']).'`';
This will prevent SQL injection, else, SQL injection could occur.
i assume that youre using the .md5() to hash the password. is it ok to use the password() hashing method instead?
this is what i planned to use in my MySQL database.