Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m working on a web app and I came across this code snippit
$email=$_POST['email'];
$pass=$_POST['pass'];
$pass=md5($pass);
$query=mysql_real_escape_string($email,$link);
//echo $query."<br>";
$sql=mysql_query("SELECT pass FROM users WHERE email='".$email."'",$link);
if($row=mysql_fetch_array($sql))
{
I think the programmer intended $query=mysql_real_escape_string($email,$link); to be $email=mysql_real_escape_string($email,$link);
Do I have the right idea here?
Yes, you’re absolutely right – just correct that part, like you said, by changing it to
, and that will protect against SQL injection there.
On a side note, I suggest you use
hash("sha512", xxx)instead ofmd5because MD5 is becoming obsolete. If your column size doesn’t allow for that though and you don’t have the ability to change it, it’s still OK.