Thread: mysql_real_escape
View Single Post
Old Jan 10th, 2008, 2:31 AM   #4
kishou
Programmer
 
Join Date: May 2007
Posts: 52
Rep Power: 2 kishou is on a distinguished road
Re: mysql_real_escape
Quote:
Originally Posted by dr.p View Post
You only need to use mysql_real_escape_string to quote a string for use in a query. MySQL returns strings from the database in a literal (unescaped) form. You should read about mysql_real_escape_string in the php manual.

Also, $row in your code is going to represent the FIRST user selected from the database. Your SQL query selects ALL users, instead of selecting ONLY the user identified by $username. This will result in checking the password against the wrong user most of the time if you have multiple users in the table.

Example:
(Toggle Plain Text) 
$username = mysql_real_escape_string($_POST['username']);
$result = mysql_query("SELECT * FROM registered_members WHERE username=\"$username\"");
$row = mysql_fetch_assoc($result);  // note assoc
if ($row['password'] == $_POST['password']) {
  // success
} else {
  // failure
}
Thx. but im just wondering when should i use the $username instead of $_POST["username"]? like when im inserting it into the database? because im just starting to learn about SQL injection.
kishou is offline   Reply With Quote