Personally, I would use something rather more robust than htmlentities. There are php functions specifically for protecting you against XSS attacks, so rather than:-
if (isset($_POST['username']) && !empty($_POST['password'])) {
$user = array(
'uname' = htmlentities($_POST['username']),
'pswd' = htmlentities($_POST['password'])
);
$sql = "SELECT * FROM users where username = '".$user['uname']."' AND password = '".$user['pswd]."'";Use something like this:-
function xssProtect($var) {
$retVal = '';
if (function_exists("mysql_real_escape_string")) {
$retVal = mysql_real_escape_string($var);
} else {
$retVal = mysql_escape_string($var);
}
return $retVal;
}
if (
(isset($_POST['username'] && $_POST['username'] != "") &&
(isset($_POST['password']) && $_POST['password'] != "")
) {
$user = xssProtect($_POST['username']);
$password = xssProtect($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$user' AND password = '$password'";Finally, you should really avoid the use of SQL Reserved words as the names of columns in your tables. PASSWORD is an SQL reserved word, and some versions of MySQL will simply croak if you have a column name like this. If you absolutely *must* have he column called password, then you should refer to it in all SQL using backticks, so your SQL would read:-
$sql = "SELECT * FROM users WHERE username = '$user' AND `password` = '$password'";Hope this helps
Tim