Security

santhanam

Dear Friends,
I have a login form where i accept username and password & verify it in another page using mysql_query function. The username & password is stored in mysql database.
I got a suggestion from one of my friend that we can exploit this model for deleting records / any other purpose.i.e by entering "0;delete from users" to delete records.
Please kindly tell me whether this security issue really exists & if so please suggest me a best alternative in terms of security.

With Regards
Santhanam

trexx

it doesn't work. at least with the usual mysql/php configuration. the mysql_query function does not allow to send multiple SQL commands separated with a semicolon (😉 so there's no security hazard.

if you wanna be completely sure, check every user input (something you should do anyway) and remove or quote slashes, single- and double quotes and overlengthed strings.