is this the proper use of mysql_real_escape_string() to prevent sql injections?

Posted on 16th Feb 2014 07:03 pm by admin

i was wondering is this the proper use of mysql_real_escape_string() to prevent sql injections? any help greatly appreciated. thanks. derek

Code: <?php
include("connect1.php");

session_start(); // this is the session declaration , one per page.

$u = trim($_POST['username']);
$p = trim($_POST['password']);

$logoff = $_GET['logoff'];
$hack = $_GET['hack'];





if($logoff){


unset($_SESSION['userid']);

//session_destroy(); //commented out gets rid of the having to login twice.

$message = "You have been logged off";




}


if($hack){

$message = "Naughty Naughty!"; // COOL

}


// escape username and password for use in SQL
$u = mysql_real_escape_string($u);
$p = mysql_real_escape_string($p);


// if fields username and password have contents, then...
if($u && $p){

$query = mysql_query("SELECT * FROM table2 WHERE username = '$u' AND password = '$p'");

$result = mysql_fetch_array($query); //creates array called result,//notice we dont need a while loop here.

if($result['username']){

$message = "You have been logged in";

$_SESSION['userid'] = $result['username'];

header("Location:old.mainsite.php");
exit;


}else{

$message = "You do not exist on the system";

}



}
?>

Your Answer:

Login to answer

Other forums

Automatically Detect Phone Model for WAP Jar Deployment
Making a wap site is fairly simple, but I'd like to know if there's a way to make it so that the wap

Escaped characters
I have a script that allows you to post news to the home page of my site. Along with the news is the

Sending an SMS Message with ASP.NET
Often times it may be a requirement for your web application to send an SMS message. Such examples w

MySql timezone
Code: $sql = "SELECT *, date_format(date, '%m/%d/%Y at %I:%i %p' )as date FROM comments WHERE t

Select Lists into MYSQL
Hello All, I am new to PHP @ 1 week. So borrowing code anywhere I can. I am making progress, but h

Help pulling in 'id' with "read more" link
I'm trying to create snippets of my articles in the cms I'm creating, and then have them redirect to

Agency Business Process
Hi,

I don’t understand the process of the agency business in SAP.

In my

Using mysql_real_escape_string for displayed content
On my website users can input data into a textarea and it will store it in the mysql database. But,

need help in update query
i create a form for update. there are 8 columns in my mysql table. on my main page all the data is r

InternetOpenUrl() Invalid cert
Hi all,

Does anyone know how to prevent calls to InternetOpenUrl() from failing with erro