On 8/24/07, Borokov Smith <borokov@xxxxxxxxx> wrote:
[snip]
> A warrant about your example not being validated, will most likely not
> stop the OP from using this code as is, thereby subjecting himself to
> SQL injection.
> And all it needed was mysql_real_escape_string() in there.
>
>
Kinda' like this part, right?
[snip]
> if($_POST['user'] && $_POST['pass']) { // Keep in mind, PASSWORD
> has meaning in MySQL
> // Do your string sanitizing here
> // (e.g. - $user = mysql_real_escape_string($_POST['user']);)
> $sql = "SELECT * FROM users WHERE user='".$user."' AND
> pass='".$pass."' LIMIT 0,1;";
[/snip]
--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107
Hey, PHP-General list....
50% off for life on web hosting plans $10/mo. or more at
http://www.pilotpig.net/.
Use the coupon code phpgeneralaug07
Register domains for about $0.01 more than what it costs me at
http://domains.pilotpig.net/.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
