Monthly Archives: September 2007

PHP and SQL injection

Ok, being someone who likes php, i get annoyed at the many sites trying to teach people the language who have example login scripts that use something like:

$result=mysql_query("select * from users where Username=$username and Password=$password");
if (mysql_num_rows($result) < 1)
    blah blah blah

Whats wrong with that you ask? Well imagine what would happen if someone were to use the username '' or 1=1 # (more…)