if (isset($_POST['Login'])){
$UserName=$_POST['UserName'];
$Password=$_POST['Password'];
$login_query=mysqli_query($GLOBALS["___mysqli_ston"],"select * from voters where Username='$UserName' and Password='$Password' and Status='Unvoted' and Year='1st year'") or die(((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)));
Asked
Active
Viewed 81 times
-1
Dharman
- 30,962
- 25
- 85
- 135
user3414676
- 3
- 3
-
1Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman Aug 08 '20 at 20:31
2 Answers
2
You should look into using Prepared Statements, rather that catenating results from your input directly. Otherwise you're vulnerable to SQL Injection
Rogue
- 11,105
- 5
- 45
- 71
0
Anytime that you're using the variable that a user submitted and don't protect against it, you're vulnerable.
As rogue said, you can use Prepared statements, or use some version of quoting, such as pdo's:
$password = $db->quote($password);
General_Twyckenham
- 2,161
- 2
- 21
- 36
-
-
`mysqli_query` does not allow multiple statements. So your example is wrong. – Gumbo Mar 15 '14 at 07:39
-
@Gumbo Interesting - you are definitely correct. I've used PDO much more than mysqli, so I was unaware of this. – General_Twyckenham Mar 16 '14 at 02:01
-
@YourCommonSense At least you're the paragon of perfection we all strive for. In case you are as illiterate as you are judgmental, what ACTUALLY happened is that my example was incorrect - the answer itself is still valid. – General_Twyckenham Mar 16 '14 at 15:21