Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have tried and tried to achieve an SQL injection by making custom queries to the server outside of firefox.
Inside the php, all variables are passed into the query in a string like this.
Note, by this stage, $_POST has not been touched.
mysql_query('INSERT INTO users (password, username) VALUES(' . sha1($_POST['password']) . ',' . $_POST['username'] . '));
Is that a secure way to make a change?
You should definitely escape the username with mysql_real_escape_string.
Of course the best solution would be to use prepared statements. That way the separation of query syntax and data is made on the mysql API level.
And, as others pointed out, values should absolutely be surrounded with quotes. Especially the text ones.