Useful PHP Code
$_POST['username'] = "aUser"; $query = " SELECT * FROM users WHERE username = '$_POST[username]' "; //Executes SELECT * FROM users WHERE username = 'aUser';
This is a major security floor, since an SQL statement could in theory be passed in $_POST['username'] variable with disastrous results:
$_POST['username'] = "'; DELETE * FROM users"; $query = "SELECT * FROM users WHERE username = '$_POST[username]'"; //Executes SELECT * FROM users WHERE username = ''; DELETE * FROM customers !
So all your data could be deleted by a very simple but nasty trick :( . To stop this from happening, use mysql_real_escape_string() as shown below:
$_POST['username'] = "'; DELETE * FROM users"; $username = mysql_real_escape_string($_POST['username']); $query = "SELECT * FROM users WHERE username = '$username'"; //Executes SELECT * FROM users WHERE username = '\'; DELETE * FROM users'
Now, the single quote is escaped thanks to mysql_real_escape_string() function and the query instead searches for " \'; DELETE * FROM users " as a username rather than executing the delete command.
Please go and add this to your code if you haven't already... I have seen too many amateur websites destroyed by something as simple as an SQL injection attack.
