Re: Code Not entering the value in the Database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/1/20 Chris Carter <chandan9sharma@xxxxxxxxx>:
>
> Hi,
>
> My code is not giving error but not doing the desired action.
>
But it can do a lot more than your desired action.


>   // insert new entry in the database if entry submitted
>
>                  $emailAddress = $_POST['emailAddress'];
>                  $password = $_POST['password'];
>                  $sql5 = "SELECT * FROM userstable WHERE emailAddress='$emailAddress' AND
> password = '$password'";
>                  $result5=mysql_query($sql5);

Do yourself a favor and read this from A to Z:
http://de3.php.net/manual/en/security.php
Imagine I send the String: x' OR id=1/*
What would the mysql read now?

SELECT * FROM userstable WHERE emailAddress='x' OR id=1/*' AND ...
everything after "/*" is not being parsed.


>                header("location:you-need-to-register.php");
correct would be header("location: http://foo/you-need-to-register.php";);


> What exactly am I missing.

http://php.net/docs.php


Byebye

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux