This question already has an answer here:
- How can I prevent SQL-injection in PHP? 28 answers
Im having a little trouble with a basic PHP website that is vulnerable to SQL injection.
Is there a fast simple way to update the below code to prevent this?
I was able to log on to the members area with a simple Boolean SQL expression.
The code is:
$username = $_POST['username'];
$password = md5($_POST['password']);
$checklogin = mysql_query("SELECT * FROM users WHERE Username = '".$username."' AND Password = '".$password."'");
if(mysql_num_rows($checklogin))
{
$row = mysql_fetch_array($checklogin);
$email = $row['EmailAddress'];
$_SESSION['Username'] = $username;
$_SESSION['EmailAddress'] = $email;
$_SESSION['LoggedIn'] = 1;
echo "<h1>Success</h1>";
echo "<p>We are now redirecting you to the member area.</p>";
echo "<meta http-equiv='refresh' content='2;index.php' />";
Thanks in advance
Wayne
Aucun commentaire:
Enregistrer un commentaire