Cookie security question

[freeloader]

I'm installing a script for a friend and went over the login procedure.

 

This is the check it does every page to see if the right one is logged in:

if($_COOKIE["usNick"] and $_COOKIE["usPass"])
{
$q = mysql_query("SELECT * FROM tb_users WHERE username='{$_COOKIE['usNick']}' AND password='{$_COOKIE['usPass']}'") or die(mysql_error());
if(mysql_num_rows($q) == 0)
{
$_COOKIE['usNick'] = false;
$_COOKIE['usPass'] = false;
}

 

My mysql knowledge is pretty basic, so my first question is: what do the {} do in the query?

 

And secondly, doesn't this pose a security risk? Someone could login and edit the cookie with a sql injection. There's advanced sql injection checks at the login page, but since there's no security on this one, it gets injected right in the database, or am I not seeing something?

 

Thanks for looking over it in advance

[BlueSkyIS]

what do the {} do in the query?]

 

makes it possible to use an array value in a double-quoted string, the array value being $_COOKIE['usNick'], etc.

 

for database interaction, you should use mysql_real_escape_string on user input, e.g.,

 

$q = mysql_query("SELECT * FROM tb_users WHERE username='".mysql_real_escape_string($_COOKIE['usNick'])."' AND password='".mysql_real_escape_string($_COOKIE['usPass'])."'") or die(mysql_error());

 

I would use sessions instead of managing cookies manually via code.

[freeloader]

I always use session verification only in my own script, this one seems to use a combination of the two.

 

It starts the page with:

<? session_start();

 

This cookie thing could be a way for the coder to gain access to all distributed scripts that way. I'm guessing by changing the cookie to: Admin'; it will break off the query and stop the password check?