I have created a simple login form for a project in PHP and mySQL. I read about security and info about SQL Injections and XSS.
How can I test my form with these stuff ? I mean where I put it?
I found something like this ' or 1=1– and SQL queries like
SELECT fieldlist
FROM table
WHERE field = '$EMAIL';
I know it's a silly question, but I don't know the answer!
分享 for input input = $EMAIL the value asdf' or '1'='1 in the input and submit and see if you get true result or not.
So the query generated is
SELECT fieldlist
FROM table
WHERE field = 'asdf' or '1'='1';
To check if password is not empty or not.
if(!isset($_POST['password']))
Also doing this would be more better if
$username = trim($_POST['username']); //also turn magic quotes
//or add slashes to prevent sql injection
$password = md5(trim($_POST['username'])); //encrypt the password
SELECT *
FROM user
WHERE username = `$username` AND
password = `$password` LIMIT 1;
if(mysql_num_rows($result)) //if the count is 1, then, the the user exists
//do the login
