Thread: Security
View Single Post
  #5 (permalink)  
Old Nov 28th, 2006, 11:58
Gee Bee Gee Bee is offline
Up'n'Coming Member
Join Date: Jan 2006
Location: East Sussex
Age: 26
Posts: 58
Thanks: 0
Thanked 0 Times in 0 Posts
Re: Security
This line

mysql_query("UPDATE accounts SET last_login='".time()."' WHERE username='".$_POST["user"]."'");

is open for sql injection attacks and XSS attacks. You should filter the input data from the user and use at least

mysql_real_escape_string()

if you are using mysql? And use htmlentities(), strip_tags().


Check this site out for help on security issues

http://phpsec.org/projects/guide/

Its an easy read and well worth it.
Reply With Quote