Quotation

pedrobcabral · January 28, 2007

mysql_query("SELECT * FROM admin WHERE login='"{$_POST["login"]}"' AND password='"{$_POST["password"]}'"");

I can't deal with the " and ' .. I'm getting lost.. can anybody help me? Thank you

acp26b · January 28, 2007

$form_password = ($_POST['password']);
$form_login = ($_POST['login']);

$mysqlquery = "Select * from admin a where a.login = '$form_login' and a.password = '$form_password'";
$mysqlresult = mysql_query($mysqlquery);

Jessica · January 28, 2007

Another possible solution is:
mysql_query("SELECT * FROM admin WHERE login='".$_POST["login"]."' AND password='".$_POST["password"].'"")

However, this leaves you open to SQL injection. You need to properly santize user input.

acp26b · January 28, 2007

run your form variables through this:

[code]function format($text)
{
$text = preg_replace("/\W/", " ", $text);
return $text;
}[/code]

it will take out special chars to prevent injection, but it will also take out the @ symbol so be careful if you are using email address to as username or allowing special chars in password, if so you will need to tweek the reg expression a little

Jessica · January 28, 2007

...or you could just use mysql_real_escape_string, strip_tags, you know, the premade functions for that.

acp26b · January 28, 2007

Always got to one up everyone huh jesirose? :P

irken · January 28, 2007

[quote author=acp26b link=topic=124447.msg515614#msg515614 date=1170014715]
Always got to one up everyone huh jesirose? :P
[/quote]

It comes with the title: [b]PHPFreaks Recommended - Proficient[/b] ;D

Sign In

Quotation

Recommended Posts

pedrobcabral

Link to comment

Share on other sites

acp26b

Link to comment

Share on other sites

Jessica

Link to comment

Share on other sites

acp26b

Link to comment

Share on other sites

Jessica

Link to comment

Share on other sites

acp26b

Link to comment

Share on other sites

irken

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information