Re: Trying to understand sessions and using them to authenticate...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/24/07, Borokov Smith <borokov@xxxxxxxxx> wrote:
> Daniel Brown schreef:
> > On 8/24/07, Borokov Smith <borokov@xxxxxxxxx> wrote:
> > [snip]
> >
> >> A warrant about your example not being validated, will most likely not
> >> stop the OP from using this code as is, thereby subjecting himself to
> >> SQL injection.
> >> And all it needed was mysql_real_escape_string() in there.
> >>
> >>
> >>
> >
> > Kinda' like this part, right?
> > [snip]
> >
> >> if($_POST['user'] && $_POST['pass']) { // Keep in mind, PASSWORD
> >> has meaning in MySQL
> >>         // Do your string sanitizing here
> >>         // (e.g. - $user = mysql_real_escape_string($_POST['user']);)
> >>         $sql = "SELECT * FROM users WHERE user='".$user."' AND
> >> pass='".$pass."' LIMIT 0,1;";
> >>
> > [/snip]
> >
> >
> Exactly what I was talking about.
> Sorry dude :)
>
> greetz,
>
> boro
>

    No problem at all, brother!  I just left it commented out for the
OP (or anyone reading the archives) to make their own adjustments or
decisions on Best Practices[tm].

-- 
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107

Hey, PHP-General list....
50% off for life on web hosting plans $10/mo. or more at
http://www.pilotpig.net/.
Use the coupon code phpgeneralaug07
Register domains for about $0.01 more than what it costs me at
http://domains.pilotpig.net/.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux