Skip to main content
Code Review

Return to Answer

Don't use </pre></code>
Source Link
Jamal
Jamal
  • 35.2k
  • 13
  • 134
  • 238

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);

$loginName = mysql_real_escape_string($loginName);

Do you filter bad content for the submitted password?

edit: nowNow that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

thisThis:


 new user($db,$_POST['username']);
  

shouldShould be this:


 new user($db,$loginName);
  

If I'm reading this correctly - you need to sanitize the password also!

This is generally very important. YouYou are also using mysqlMySQL functions to sanitize sql liteSQLite data. That's probablyprobably okay, but I wouldn't bet the farm on it!

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);

Do you filter bad content for the submitted password?

edit: now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

this:


 new user($db,$_POST['username']);
 

should be this:


 new user($db,$loginName);
 

If I'm reading this correctly - you need to sanitize the password also!

This is generally very important. You are also using mysql functions to sanitize sql lite data. That's probably okay, but I wouldn't bet the farm on it!

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);

Do you filter bad content for the submitted password?

Now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

This:

new user($db,$_POST['username']);
 

Should be this:

new user($db,$loginName); 
 

If I'm reading this correctly - you need to sanitize the password also!

This is generally very important. You are also using MySQL functions to sanitize SQLite data. That's probably okay, but I wouldn't bet the farm on it!

added 207 characters in body; deleted 1 characters in body
Source Link
davidhaskins
davidhaskins
  • 216
  • 2
  • 3

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);

Do you filter bad content for the submitted password?

edit: now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

this:


new user($db,$_POST['username']);

should be this:


new user($db,$loginName);

If I'm reading this correctly - you need to sanitize the password also!

This is generally very important. You are also using mysql functions to sanitize sql lite data. That's probably okay, but I wouldn't bet the farm on it!

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);

Do you filter bad content for the submitted password?

edit: now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

this:


new user($db,$_POST['username']);

should be this:


new user($db,$loginName);

If I'm reading this correctly.

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);

Do you filter bad content for the submitted password?

edit: now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

this:


new user($db,$_POST['username']);

should be this:


new user($db,$loginName);

If I'm reading this correctly - you need to sanitize the password also!

This is generally very important. You are also using mysql functions to sanitize sql lite data. That's probably okay, but I wouldn't bet the farm on it!

Source Link
davidhaskins
davidhaskins
  • 216
  • 2
  • 3

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);

Do you filter bad content for the submitted password?

edit: now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

this:


new user($db,$_POST['username']);

should be this:


new user($db,$loginName);

If I'm reading this correctly.