Jump to content

MySQL Injection Prevention Check


aeonsky

Recommended Posts

Hey, is this a fool-proof way to prevent MySQL from injections? Thanks for the time!

 

function validate() {
connect_mysql();
$form_user = mysql_real_escape_string(stripslashes(trim($_POST['form_user'])));

$form_pass = $_POST['form_pass'];
$result = mysql_query("SELECT * FROM user WHERE username = '$form_user'") or die("Wrong username/password! ".mysql_error());
$row = mysql_fetch_array($result);
$mysql_user = $row['username'];
$mysql_pass = $row['password'];
if (md5($form_pass) != $mysql_pass) {echo "Wrong username/password!"; die;};
mysql_close;
$_SESSION['login'] = TRUE;
header('Location:'.$_SERVER['PHP_SELF']);
}

Link to comment
https://forums.phpfreaks.com/topic/112525-mysql-injection-prevention-check/
Share on other sites

Oh, maybe another improvement?

 

before >>>

$result = mysql_query("SELECT * FROM user WHERE username = '$form_user'") or die("Wrong username/password! ".mysql_error());

 

 

after >>>

$result = mysql_query("SELECT * FROM user WHERE username = ('$form_user')") or die("Wrong username/password! ".mysql_error());

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.