brown2005 Posted February 7, 2013 Share Posted February 7, 2013 $username = SanitizeForSQL($username); $pwdmd5 = md5($password); $stmt = $db->query("SELECT * FROM people INNER JOIN people_emails ON people_id=people_emails_person INNER JOIN members ON people_id=members_person WHERE members_username='$username' AND members_password='$pwdmd5' AND people_emails_primary='1' AND people_emails_valid='y'"); $row_count = $stmt->rowCount(); if($row_count <= 0){ $this->HandleError("Error logging in. The username or password does not match"); return false; } function SanitizeForSQL($str) { if( function_exists( "mysql_real_escape_string" ) ) { $ret_str = mysql_real_escape_string( $str ); } else { $ret_str = addslashes( $str ); } return $ret_str; } hi, above is the code I used whilst using the old mysql_ which I have converted to pdo: global $db; $username = $username; $password = md5($password); $stmt = $db->prepare("SELECT * FROM people INNER JOIN people_emails ON people_id=people_emails_person INNER JOIN members ON people_id=members_person WHERE members_username= :username AND members_password= :password AND people_emails_primary='1' AND people_emails_valid='y'"); $stmt->execute(array(':username' => $username,':password' => $password)); $row_count = $stmt->rowCount(); if($row_count <= 0){ $this->HandleError("Error logging in. The username or password does not match"); return false; } while($row = $stmt->fetch(PDO::FETCH_ASSOC)){ $_SESSION['name_of_user'] = $row['people_first']; $_SESSION['email_of_user'] = $row['people_emails_email']; } return true; is this the correct way to prevent sql injections instead of using the function SanitizeForSQL($str) Link to comment https://forums.phpfreaks.com/topic/274150-sanitizeforsql-function-to-pdo/ Share on other sites More sharing options...
Christian F. Posted February 7, 2013 Share Posted February 7, 2013 Yes, prepared statement automatically safeguard the data against SQL injections. However, your password handling is not adequate. Plain MD5 is pretty much the same as saving the password in plain text, as far as security goes. I recommend using bcrypt (PHP 5.3+) or PHPass instead. For a short introduction to the whys, and links to the above, please see this video: PS: You're not checking for SQL errors after executing the query, which you should be doing. Link to comment https://forums.phpfreaks.com/topic/274150-sanitizeforsql-function-to-pdo/#findComment-1410732 Share on other sites More sharing options...
brown2005 Posted February 7, 2013 Author Share Posted February 7, 2013 Thanks for your help. How do I check SQL errors in pdo? Link to comment https://forums.phpfreaks.com/topic/274150-sanitizeforsql-function-to-pdo/#findComment-1410768 Share on other sites More sharing options...
brown2005 Posted February 7, 2013 Author Share Posted February 7, 2013 Thanks for your help. How do I check SQL errors in pdo? Ignore that you've gave me a link. Thanks again Link to comment https://forums.phpfreaks.com/topic/274150-sanitizeforsql-function-to-pdo/#findComment-1410784 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.