webtuto Posted March 19, 2008 Share Posted March 19, 2008 hey i use this code to choose the right username and password $sql = "select * from `freelancer` where email='$_POST[email]' and password='$md5'"; $res=mysql_query($sql)or die(mysql_error()); and i wonder if its not secure ?????? !!!!! Link to comment https://forums.phpfreaks.com/topic/96964-about-my-members-system-sql-injection/ Share on other sites More sharing options...
Daney11 Posted March 19, 2008 Share Posted March 19, 2008 Are you just using $_POST['email']? I'd use $email = mysql_real_escape_string($_POST['email']); Link to comment https://forums.phpfreaks.com/topic/96964-about-my-members-system-sql-injection/#findComment-496199 Share on other sites More sharing options...
tendrousbeastie Posted March 19, 2008 Share Posted March 19, 2008 Hi, Don't ever ever ever pass anything from the superglobals ($_POST, $_GET, $_SERVER, etc) into an sql query, or really even to screen. People can put any data they want in these variables, and so can basically cause any commands they want to be executed as an SQL query. Make sure you sanitise your variables before you use them (clean them of any dangerous characters that could allow these things to happen). There are plenty of articles about on google about SQL injection that will show you how. Link to comment https://forums.phpfreaks.com/topic/96964-about-my-members-system-sql-injection/#findComment-496282 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.