Results 1 to 2 of 2

Thread: Is my this password protection script safe from SQL injection?

  1. #1
    Join Date
    Jan 2003

    Is my this password protection script safe from SQL injection?

    Hi all,

    I've had a bit of trouble with this script I found. Someone entered in some junk into the password field and broke my website for 15 minutes. I couldn't get into FTP, or into my host's control panel.

    All they did was enter =='1=1

    That's a pretty bad flaw!

    I just don't know how to apply ctype_alnum to ensure that only alphanumeric values are read by this script, so I can prevent failures like this from happening again.

    Also is this script protected from SQL injection?


  2. #2
    Join Date
    Aug 2004
    Well, if it broke when they entered that text, then it's probably not SQL injection proof.

    The best way (IMO) is to use the MySQLi or PDO database extension along with bound input parameters. If that is not feasible for some reason and you have to use the old (and now-deprecated) MySQLi extension, then you should cast any numeric field values to the appropriate type ( (int) or (float) ) or apply mysql_real_escape_string() to any character/string values.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center