SQL Injection Protection

aspekt9

I've been working on protecting my form from sql injection could you guys provide some input and let me know if this is as much as I can do to prevent improper injection?

Here's my code:

function loginform()
{
 global $LANG01;
$_SESSION['user'] = $_POST['user'];
$userip = $_SERVER['REMOTE_ADDR'];
if(get_magic_quotes_gpc()) {
	$user = stripslashes($_SESSION['user']);
	$password = stripslashes($_POST['pass']);
} else {
	$user = ($_SESSION['user']);
	$password = ($_POST['pass']);
}
$remember = $_POST['remember'];
$epassword = (md5($password));


$query = sprintf("SELECT * FROM users WHERE username='%s' and password='%s'",
			mysql_real_escape_string($user),
			mysql_real_escape_string($epassword));
$result = mysql_query($query);
$nrows = mysql_num_rows($result);
 if ($nrows == 1) {
$_SESSION['usrlogin'] = 1;
mysql_query("UPDATE users SET loggedin='yes' WHERE username='$user'");
mysql_query("UPDATE users SET ipaddress='$userip' WHERE username='$user'");
echo '<meta http-equiv="refresh" content="0;URL=index.php">';
} else {
	echo '<span class="invalid">'. $LANG01[10] .'</span><br /><br />';
	include 'forms/loginform.html';
 }
}

Piranha

It is in the beginning. But then all of a sudden you have 2 queries that you don't make sure is protected from SQL Injection:

mysql_query("UPDATE users SET loggedin='yes' WHERE username='$user'");
mysql_query("UPDATE users SET ipaddress='$userip' WHERE username='$user'");

You should use mysql_real_escape_string on ALL variables in ALL queries that use variables from the outside.

[Edit]Why do you use 2 queries for this, you only need one. And what happens if the user don't use the logout function but just close the connection? Is he/she still considered to be logged in?[/edit]