I am having huge trouble with this Mysql_real_escape_string to prevent SQL Injection. I have tried everywhere possible to input it in my code. My code looks a lot different than most peoples. I mean my login/registration system works PERFECT.. besides that it's not protected from SQL Injection yet which is why I'm trying to secure it.
$cxn = mysqli_connect($host,$user,$password,$database) or die("Query died: connect"); $sql = "SELECT username FROM Member WHERE username='$_POST[fusername]'"; $result = mysqli_query($cxn,$sql) or die("Query died: fusername"); $num = mysqli_num_rows($result);
Okay now I know you input it in username=... after that. But I tried everything with the stupid quotation and single marks and I just cant' seem to get it right. I hope some genius can come along and help me. xD
Also, how do you prevent SQL Injection from the url? How they can delete your whole Member database by putting something in the url after .php?id= something. How do you prevent that?
Thanks for all this information. After this, I will be completely satisfied and can start moving on further with my site. Thank you!