0

i have a login page i have used 

 <?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>

now i was trying an whenever i enter 

  http://www.twekr.com/login.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E

& it gaved me this error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'hacked')%3C/script%3E', 0)' at line 2

What should i do now?

  $uemail = "";
  $upass = "";
  if ($_SERVER["REQUEST_METHOD"] == "POST")
  {

   $uemail  =  test_input($_POST['email']);
  $upass   =  test_input(md5($_POST['password']));

   if(empty($uemail) or empty($upass)){

 $message = "Please enter email or password";

  } else {
  $check_login = mysql_query("SELECT username FROM users WHERE email 
  ='$uemail' AND password ='$upass'");
    if(mysql_num_rows($check_login) ==1) {



     $get = mysql_fetch_array($check_login);
  $_SESSION['username2'] = $get['username'];

     $_SESSION['semail'] = $uemail;
header('Location:http://twekr.com/');exit;
    }else { 
         $message = "Wrong email or password";
     }
 }
  }
  ?>
abhishek
  • 11
  • 1
  • 5

0 Answers0