$con = mysql_connect('localhost', 'root', '');
$db_select = mysql_select_db('db_name', $con);
die("Error: No DataBase Selected.\n");
die("Error: ".mysql_error()."\n");
<form action='./login.php' method='POST'>
<table border='0' align='center'>
<tr><td>Username </td><td><input type='text' name='user'></td></tr>
<tr><td>Password </td><td><input type='password' name='pass'></td></tr>
<tr><td colspan='2' align='right'><input type='submit' name='login' value='Login'></td></tr>
$u = $_POST['user'];
$p = $_POST['pass'];
$log = $_POST['login'];
$sql = mysql_query("SELECT count(id) FROM `users` WHERE `username` = '$u' AND `password` = '$p'");
$result = mysql_result(sql, 0);
die("Invalid Login Information\n");
echo "Welcome ".$u."! You are now logged in.\n";
8 Years
Discussion Span
Last Post by manzarr

Hey! this script i'm sure is meant for beginners. If you know about SQL injection then I guess you are not a beginner and you can even do this community a favour by posting another version of the script with SQL injection holes well taken care of.
Happy times!


mysql_real_escape_string(); will prevent injections.


$string = 'user input';
$safer = mysql_real_escape_string($string);
// the variable $safer is less likely to cause you any problems from your users input.

it is always best practice to hash your passwords as well {sha1($string) }. when you create the user, hash the password into the data base. when you check against it hash the password and that will give you the same result but with safer password storage.

Edited by leviathan185: forgot something


This script not only suffers from security holes but also has a but in recording incorrect data. If magic quotes are enabled then every recording of a slash be recorded. This means if you record the username te"s't then when you retrieve it from the database it will display te\"s\'t. To solve that you will need to use the stripslashes() function if magic quotes are enabled. Also note that the mysql_real_escape_string() function not only fixes security holes but also validates the string from potential bugs/errors. So the following is how to convert a variable ready for mysql.

$data = mysql_real_escape_string(stripslashes($_POST['data']));

hello am from ghana trying to learn some codes all by myself to meet me needs can some one out there give a helping hand

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.