nightkarnation Posted October 22, 2010 Share Posted October 22, 2010 Hey Guys! I have the following Working php script (receives the variables from Flash) //LOGIN! if ($action == "login") { //retreive data from flash $username=mysql_real_escape_string($_POST['Username']); $password=mysql_real_escape_string($_POST['txtPassword']); $result = mysql_query("SELECT name, activated from buyers WHERE email = '$username' AND password = md5('$password')"); $cant = 0; while($row=mysql_fetch_array($result)) { echo "name$cant=$row[name]&activated$cant=$row[activated]&"; $cant++; } echo "cant=$cant&"; if (mysql_num_rows($result) > 0) { echo "status1=exists"; } else { echo "status1=Incorrect Login"; } } As you can see I have used mysql_real_escape_string for the variables $username and $password that are coming from Flash. I would really appreciate some guidence if this is the only safe code I need in this script? For example: Does $action == "login" need also mysql_real_escape_string ?? That variable $action is also coming from flash (but is not inputted by a user) Any ideas? Thanks in advance, Cheers! Link to comment https://forums.phpfreaks.com/topic/216610-sql-injection-prevention-question/ Share on other sites More sharing options...
plznty Posted October 23, 2010 Share Posted October 23, 2010 escape string only needs to be on the bits that the user can query. Such as the $_POSTs you have shown. As far as I'm aware. Link to comment https://forums.phpfreaks.com/topic/216610-sql-injection-prevention-question/#findComment-1125449 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.