0

Hey guys,

Could you help me understand how to implement

mysql_real_escape_string

to prevent injection in this code ?

<?php

    if(loggedin()){
        echo "You are already logged in.";
    } else {
        if($_POST['submit']){
            if($_POST['username'] && $_POST['password']) {
                $username = $_POST['username'];
                $password = $_POST['password'];
                $password = md5($password);
                $res = mysql_query("SELECT * FROM users WHERE username='$username'");
                if(mysql_num_rows($res) == 0){
                    echo "Utilizator inexistent, click <a href='index.php?act=register'>aici</a> pentru inregistrare.";
                    exit();
                }
                $row = mysql_fetch_assoc($res);
                if($row['password'] == $password) {
                    if(@$_POST['remember' == "on"]) {
                        setcookie('username', $username,time()+36000);
                        echo "You have been logged in,<a href='index.php'>click here</a> to continue.";
                    } else {
                        $_SESSION['username'] = $username;
                        echo "You have been logged in,<a href='index.php'>click here</a> to continue.";
                    }
                } else {
                    echo "Incorrect password.";
                }
            }
        } else {
            
      
?>
3
Contributors
5
Replies
6
Views
7 Years
Discussion Span
Last Post by Szabi Zsoldos
0
$username = mysql_real_escape_string($_POST['username']);

Because you're hashing the pw before it is used in any mysql, perhaps mysql_real_escape_string not so impt for this field. However, every other field should be escaped - even integers. Forms and headers can be spoofed so you can't even rely on what you assume to be your 'own safe values'.

0

Thank you ardav,

What do you mean by escaping integers as well ? I escaped the password and the username, what else should i escape ?

0

>Thank you ardav,

What do you mean by escaping integers as well ? I escaped the password and the username, what else should i escape ?

You should escape everything - everything that has been touched by an external source (querystring/cookie/form). Clean all variables pasted into an SQL statement. It will not affect numeric data - so it is safe to use.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.