aeonsky Posted June 30, 2008 Share Posted June 30, 2008 Hey, is this a fool-proof way to prevent MySQL from injections? Thanks for the time! function validate() { connect_mysql(); $form_user = mysql_real_escape_string(stripslashes(trim($_POST['form_user']))); $form_pass = $_POST['form_pass']; $result = mysql_query("SELECT * FROM user WHERE username = '$form_user'") or die("Wrong username/password! ".mysql_error()); $row = mysql_fetch_array($result); $mysql_user = $row['username']; $mysql_pass = $row['password']; if (md5($form_pass) != $mysql_pass) {echo "Wrong username/password!"; die;}; mysql_close; $_SESSION['login'] = TRUE; header('Location:'.$_SERVER['PHP_SELF']); } Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted June 30, 2008 Share Posted June 30, 2008 looks great to me Quote Link to comment Share on other sites More sharing options...
unsider Posted June 30, 2008 Share Posted June 30, 2008 Looks good to me as well. No other code you wanna run by us? Quote Link to comment Share on other sites More sharing options...
aeonsky Posted June 30, 2008 Author Share Posted June 30, 2008 Oh, maybe another improvement? before >>> $result = mysql_query("SELECT * FROM user WHERE username = '$form_user'") or die("Wrong username/password! ".mysql_error()); after >>> $result = mysql_query("SELECT * FROM user WHERE username = ('$form_user')") or die("Wrong username/password! ".mysql_error()); Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted June 30, 2008 Share Posted June 30, 2008 yeah, its looking pretty good. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.