Michael A. Peters wrote: > Daniel Brown wrote: >> First, a reminder to several (including some in this thread) that >> top-posting is against the law here. >> >> On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@xxxxxxxxx> >> wrote: >>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' >>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password >>> .'\'))'; >> >> Second, another, more important reminder: >> >> <?php >> $username = '" OR 1 OR "'; >> ?> >> >> Since the first rows in a database are usually the default >> administrator logins, the first to match what is basically a 'match if >> this is a row' statement will be logged in. The moral of the story: >> don't forget to clean your input (which I'm sure ya'all were doing.... >> but with top-posters, you never know ;-P). >> > > prepared statements really do a pretty good job at neutering sql > injection. But one shouldn't be lazy with input validation anyway. > I have a couple of questions/comments re all this: 1. Doing the login and processing through https should add a bit more security, it seems to me. 2. Cleaning is another bloody headache, for me anyway. I have found that almost every time I try to do some cleaning with trim and mysql_real_escape_string and stripslashes wipes out my usernames and passwords. I havent' been able to use them when doing the crypt and encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit lost on this. Specifically, this wipes out my login and password... (I know, this is old code, but it is supposed to work, no? ) //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); When I echoes the cleaned $login and $password, they looked like they had just gone through an acid bath before being hit by katerina (hurricane)... ;-) rather whitewashed and empty. There was nothing left to work with. -- Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." ------------------------------------------------------------- Phil Jourdan --- pj@xxxxxxxxxxxxx http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php