View Single Post
Old 05-23-07, 03:02 PM   #13
ViN86
 
Join Date: Mar 2004
Posts: 15,486
Default Re: Need a non-functional PHP login box

Quote:
Originally Posted by evilghost
I know this is an older thread but I wanted to comment on the t3hl33td4rg0n's excellent example. All is fine, however, it is is strongly recommended that you use the mysql_escape_string(); function to properly sanitize user-input to avoid SQL injection.

In his example, the below code:

Code:
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.$_POST['username'].'` AND `pass` = `'.md5($_POST['password']).'`';
Should become:
Code:
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.mysql_escape_string($_POST['username']).'` AND `pass` = `'.md5($_POST['password']).'`';
This will prevent SQL injection, else, SQL injection could occur.
evilghost -

i assume that youre using the .md5() to hash the password. is it ok to use the password() hashing method instead?

this is what i planned to use in my MySQL database.
ViN86 is offline   Reply With Quote