Yet another sql injection question

[bothwell]

The company I work for bought some software from a third party vendor that was riddled with mistakes, broken code, and SQL injection vulnerabilities. My co wanted me to go through the views on the software and change it all from tables to divs (  it pays the bills, I suppose), but when I'd finished that I presented them with a list of broken stuff to get the developer to fix. The thing that still worries me is the SQL injection vulns because I don't know enough about them to know how secure the code is.

 

What he's done to fix it is something like:

 

$query= "SELECT * FROM table WHERE uname = '$uname' AND upass = '$upass'";

if (!$query)
{ print "There has been a database error"; }

    mysql_query($query);

 

I am not at all sure what this means. Is he checking that the value of $query matches what's in the code? Entering apostrophes into the input fields does return the database error print, so I don't think anything is being sanitised at all. It is at least impervious to my super-basic knowledge of SQL injection attack methods (but I'm hardly joe hax0r).

 

Is this a valid approach?

 

[Bendude14]

well all the below line is doing is checking if $query has a value or not

 

if (!$query)

 

The real problems would come if the variables $uname and $upass had to been correctly handled from the user.

 

Can you show us the validation for them two vars?

[aeonsky]

Make sure you do:

 

$uname = trim(mysql_real_escape_string($name));
$upass = trim(mysql_real_escape_string($upass));

$query = "SELECT * FROM table WHERE uname = ('$uname') AND upass = ('$upass')";
$result = mysql_query($query) or die(mysql_error()); //Actually checks for connection  

 

 

 

 

And...

 

!$query

...is useless in my opinion.