Daniel Brown wrote:
First, a reminder to several (including some in this thread) that top-posting is against the law here. On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@xxxxxxxxx> wrote:$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))';Second, another, more important reminder: <?php $username = '" OR 1 OR "'; ?> Since the first rows in a database are usually the default administrator logins, the first to match what is basically a 'match if this is a row' statement will be logged in. The moral of the story: don't forget to clean your input (which I'm sure ya'all were doing.... but with top-posters, you never know ;-P).
prepared statements really do a pretty good job at neutering sql injection. But one shouldn't be lazy with input validation anyway.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
