Quotation

[pedrobcabral]

mysql_query("SELECT * FROM admin WHERE login='"{$_POST["login"]}"' AND password='"{$_POST["password"]}'"");

I can't deal with the " and ' .. I'm getting lost.. can anybody help me? Thank you

[acp26b]

$form_password = ($_POST['password']);
$form_login = ($_POST['login']);

$mysqlquery = "Select * from admin a where a.login = '$form_login' and a.password = '$form_password'";
$mysqlresult = mysql_query($mysqlquery);

[Jessica]

Another possible solution is:
mysql_query("SELECT * FROM admin WHERE login='".$_POST["login"]."' AND password='".$_POST["password"].'"")

However, this leaves you open to SQL injection. You need to properly santize user input.

[acp26b]

run your form variables through this:

[code]function format($text)
{
$text = preg_replace("/\W/", " ", $text);
return $text;
}[/code]

it will take out special chars to prevent injection, but it will also take out the @ symbol so be careful if you are using email address to as username or allowing special chars in password, if so you will need to tweek the reg expression a little

[Jessica]

...or you could just use mysql_real_escape_string, strip_tags, you know, the premade functions for that.

[acp26b]

Always got to one up everyone huh jesirose? :P

[irken]

[quote author=acp26b link=topic=124447.msg515614#msg515614 date=1170014715]
Always got to one up everyone huh jesirose? :P
[/quote]

It comes with the title: [b]PHPFreaks Recommended - Proficient[/b]  ;D