- This topic has 0 replies, 1 voice, and was last updated 1 month, 1 week ago by
.
-
Posts
-
🔴 Error 2 — login.php
Using addslashes() instead of prepared statements
❌ Before (broken):$email = addslashes($_POST[’email’]);
$password = addslashes($_POST[‘password’]);
$query = “select * from users where email = ‘$email’ && password = ‘$password’ limit 1”;What’s wrong: addslashes() is not a safe way to protect against SQL injection. A clever attacker can still break out of the query and access or destroy your database. This is one of the most common and dangerous mistakes in PHP.
âś… After (fixed):
// Use prepared statements instead — they separate the query from the data completely
$stmt = mysqli_prepare($con, “SELECT * FROM users WHERE email = ? AND password = ? LIMIT 1”);
// Bind the user input safely to the query — it can never be treated as SQL code
mysqli_stmt_bind_param($stmt, “ss”, $_POST[’email’], $_POST[‘password’]);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);Why it’s fixed: Prepared statements keep the SQL query and the user data completely separate, so no matter what the user types, it can never manipulate the query.
- You must be logged in to reply to this topic.