
Zhris
Enthusiast
Oct 29, 2013, 10:49 AM
Post #2 of 2
(1215 views)
|
Re: [zak100] Problem login script
[In reply to]
|
Can't Post
|
|
Hey, Never interpolate variables, especially those that have come from an untrusted source, directly in an SQL statement. You have opened yourself up to SQL injection attacks. I haven't tested, but I believe the error is down to not having quotes around the values. Here is an improvement:
$sth = $dbh->prepare("SELECT username, password FROM users WHERE username = ? and password = ?"); $sth->execute($username, $password); Chris
(This post was edited by Zhris on Oct 29, 2013, 10:52 AM)
|