is this the proper use of mysql_real_escape_string() to prevent sql injections?

Posted on 16th Feb 2014 07:03 pm by admin

i was wondering is this the proper use of mysql_real_escape_string() to prevent sql injections? any help greatly appreciated. thanks. derek

Code: <?php
include("connect1.php");

session_start(); // this is the session declaration , one per page.

$u = trim($_POST['username']);
$p = trim($_POST['password']);

$logoff = $_GET['logoff'];
$hack = $_GET['hack'];





if($logoff){


unset($_SESSION['userid']);

//session_destroy(); //commented out gets rid of the having to login twice.

$message = "You have been logged off";




}


if($hack){

$message = "Naughty Naughty!"; // COOL

}


// escape username and password for use in SQL
$u = mysql_real_escape_string($u);
$p = mysql_real_escape_string($p);


// if fields username and password have contents, then...
if($u && $p){

$query = mysql_query("SELECT * FROM table2 WHERE username = '$u' AND password = '$p'");

$result = mysql_fetch_array($query); //creates array called result,//notice we dont need a while loop here.

if($result['username']){

$message = "You have been logged in";

$_SESSION['userid'] = $result['username'];

header("Location:old.mainsite.php");
exit;


}else{

$message = "You do not exist on the system";

}



}
?>

Your Answer:

Login to answer

Other forums

Email Processor
I have a few questions so this post will be a larger one! Sorry, but I'm a bit of a PHP newbie so be

php is not recognized as an internal or external command
Hello,

I am trying to bake the code in CakePHP through my console.
I have changed my Path

help with contest script
I would like to code a contest script to my site but i don't know how. Could someone just give me pu

Help with PHP Calendar code...
Hello, I'm new to this forum and I'm glad I found it.
I wrote this code for a PHP calendar as an

UDP server recvfrom() always returns -1? :(
Hello all,
I am getting a very strange error in my code :( I am writing a server application in C

Intrastat Report Config in ECC 6.0 - goods Movement in EU countries
Colleagues, need ur help to understand the changes require in ECC 6 standard Report configuration se

Edit MySQL Row Using PHP and HTML Form
Hello,

Here's what I'm trying to do. Build a page where a user enters a MySQL row number in.

Not connecting to DB using ruby, error:env.c:257:in oci8lib.so: ORA-12154:
Hi All,

I am trying to connect to the database server from the client server using ruby and f

Why do I get this error?
Error:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or

[function.file]: failed to open stream: No such file or directory
Okay I wrote this little script to upload a csv file that is located on my webhosts server to a mysq