[RESOLVED] How to sanitise variable to prevent sql injection

Hotkey

Hi there,

i've a question regarding sql injection. I have a form which takes username and password from the user for loggin in.
The password is going to be hashed and is safe for sql injection.
How can i sanitise the login name with php so that it is safe for sql injection?

Thanks in advance and with best regards

Hotkey

Piranha

That differ a bit depending on what database you use. If you use mysql as a database you should use the command mysql_real_escape_string for all variables that you include in a query. You should also use ' signs, even for variables that don't actually need it, as example int. You could then do something like this:

$username = $_POST['username'];
$password = md5($_POST['password']);  // I'm not sure if it is the correct way to use the hashing
$sql = sprintf("
   SELECT COUNT(*) as c
   FROM users 
   WHERE username = '%s' 
   AND password = '%s'", 
   mysql_real_escape_string($username), 
   $password);
$result = mysql_query($sql);
$row = mysql_fetch_row($result);
if ($row['c'] == 1)
{
   // User is ok
}
else
{
   // User is not ok
}

Hotkey

thanks for the fast answer.
I'll try the mysql_real_escape_string function and use the sinlge quotes.

The code posted by you makes no use of that function, am i missing something or is it just an additional way?

Thanks a lot!

Hotkey

Piranha

Ops, I managed to forget to escape the string, and it is really bad since it was all about that. Edited it so it is there now.