How to prevent an SQL injection in PHP?

Php coding script.help needed!?

• Hey guys, i wrote a php login script n i'd like to check its logic flow. i cant test cos i cannot install the php stuff on my laptop. so pls help. The basic outline is a login page where students can login using their matriculation numb and password. they wont hv to register.for testing purposes, i've entered matriculation numb:123456789F and password:uolexternal for testing purposes.Please help me genuises! thank you! //login success <? session_start(); if(!session_is_registered(myusername))… header("location:main_login.php"); } ?> <html> <body> Login Successful </body> </html> //log out <? session_start(); session_destroy(); ?> //Database created using phpMyAdmin // creating table in database by runnning SQL Query CREATE TABLE 'Login'( `id` int(4) NOT NULL auto_increment, `MatNo` varchar(20) NOT NULL default '', `password` varchar(20) NOT NULL default '', PRIMARY KEY (`id`) ) TYPE=MyISAM AUTO_INCREMENT=1 ; //entering data into Login table INSERT INTO `Login` VALUES (1, '123456789F', 'uolExternal'); //main_login.php <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC"> <tr> <form name="form1" method="post" action="checklogin.php"> <td> <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#CCFF00"> <tr> <td colspan="3"><strong>Student Login </strong></td> </tr> <tr> <td width="235">Matriculation Number</td> <td width="14">:</td> <td width="766"><input name="MatNo" type="text" id="myusername" size="10" maxlength="10"></td> </tr> <tr> <td>Password</td> <td>:</td> <td><input name="mypassword" type="password" id="mypassword"></td> </tr> <tr> <td> </td> <td> </td> <td><input type="submit" name="Submit" value="Login"></td> </tr> </table> </td> </form> </tr> </table> //verify login <?php ob_start(); $host="localhost"; // Host name $username="syedhairun"; // Mysql username $password="uolexternal"; // Mysql password $db_name="SE"; // Database name $tbl_name="Login"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php". Should direct to Welcome page. For coding purposes, its login_success.php session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Login Error.Please try again."; } ob_end_flush(); ?>

• Answer:

  Haven't really red it very well, but you do need to select a database somehow. I recommend 'USE tablename' over a php function. Or, just, 'database.table'.