webtuto Posted March 19, 2008 Share Posted March 19, 2008 hey i use this code to choose the right username and password $sql = "select * from `freelancer` where email='$_POST[email]' and password='$md5'"; $res=mysql_query($sql)or die(mysql_error()); and i wonder if its not secure ?????? !!!!! Quote Link to comment Share on other sites More sharing options...
Daney11 Posted March 19, 2008 Share Posted March 19, 2008 Are you just using $_POST['email']? I'd use $email = mysql_real_escape_string($_POST['email']); Quote Link to comment Share on other sites More sharing options...
tendrousbeastie Posted March 19, 2008 Share Posted March 19, 2008 Hi, Don't ever ever ever pass anything from the superglobals ($_POST, $_GET, $_SERVER, etc) into an sql query, or really even to screen. People can put any data they want in these variables, and so can basically cause any commands they want to be executed as an SQL query. Make sure you sanitise your variables before you use them (clean them of any dangerous characters that could allow these things to happen). There are plenty of articles about on google about SQL injection that will show you how. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.