On Mon, 6 Sep 2004 13:33:02 +0800, in php.general [EMAIL PROTECTED] (Jason Wong) wrote:
>> $username = trim(addslashes($_POST['user_name'])); >> $pass = trim(addslashes($_POST['password'])); > >addslashes() is not needed as you're performing SELECT query and not an INSERT >query. How did you come up with that? The escape mechanism is the same for SELECT and INSERT. addslashes() is not needed if magic_quotes is enabled, though. But if it isn't, it could be easy to login as another user, e.g. post: other_user' OR user_name = 'foo .. as user_name. In that case the attacker could login as other_user. -- - Peter Brodersen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
