SQL Injection Concern

Question

I'm developing a new site that requires user logins. Currently just testing a few things and passwords are stored as plain text but I will be changing this.

I was just wondering, as I'm new to using MySQL / PHP, if this is vulnerable to SQL Injection or not, and if so what would you recommend to make it more secure?

(using [insert_php] as wordpress is the CMS)

[insert_php]
include("Config.php");
$_SESSION['username']= "Your value";

if($_SERVER["REQUEST_METHOD"] == "POST")
{
    // username and password sent from Form
    $myusername=addslashes($_POST['username']);
    $mypassword=addslashes($_POST['password']);

    $sql="SELECT id FROM admin WHERE username='$myusername' and 
    password='$mypassword'";
    $result=mysql_query($sql);
    $row=mysql_fetch_array($result);
    $active=$row['active'];
    $count=mysql_num_rows($result);

    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1)
    {
        $_SESSION['username'];
        $_SESSION['login_user']=$myusername;

        header("location: welcome.php");
    }
    else
    {
        $error="Your Login Name or Password is invalid";
    }
}
[/insert_php]

Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — David, May 28 '17 at 23:33
Keep in mind that "using prepared statements" is not a magic wand. It's still possible (and even common) to have SQL injection vulnerabilities with libraries like PDO. The main thing to understand is to treat user-modifiable values (*not* just immediate user input, but *any* value that can be modified by a user at any point in that value's lifetime) as *values* and not as *executable code*. Putting values directly into SQL queries treats those values as code, regardless of what other "magic wands" you use to try to sanitize those values. — David, May 28 '17 at 23:39

SQL Injection Concern

0 Answers0