send data with more security

[romina]

hello and thanks for your good forum

my problem is in sending data from a form

I send data with $_POST['something'] and for example check it in a mysql query like this

" SELECT * FROM `users` WHERE username='$username' AND password='$password' "

I want to know if some user can see all of the table or enter to CMS instead of an admin and do all that want like this:

"SELECT * FROM users WHERE username='admin' or 1=1#"

please help me to have a secure code.

[victor123]

Hi,

To avoid having that kind of problems, you should check that every value the user can enter responds to the data you are expecting (i.e. a numeric field has only numbers and such). That can be done with js, although it is not advisable to rely only on js.

Besides, using mysql_real_escape_string() for every post data to escape (i.e. put a slash before) certain characters will take control of sql attacks as far as i know.

I use both js and mysql_real_escape_string(). Also, i check every query for the validity of the results (if i am expecting the query to return something and it doesn't return anything, i quit the application, for example).

Regards.

[romina]

thank you victor for your answer

it was very good can you tell me js code that use for this????

I will be so thanks

[victor123]

Well, there are many routines to check for fields. For example, you can use isNaN(field.value) to check whether it is a numeric value or not. I am not a js expert, so i suggest posting js problems in the appropriate forum.

Regards.