I have the code below:
I have a bug, with $_GET[“p”], if the contains something like 8*&^&^^(&)(* characters it interferes with the code.
Is there a work around this?
$sql = "select * from member where UserName='".str_replace("'", "''", $_GET["u"])."' and Password='".str_replace("'", "''", $_GET["p"])."'";
interferes how? and how are you validating and sanitising $_GET[‘p’] before you use it any way?
$conn=mysql_connect($server, $dbuser, $dbpass) or die(mysql_error());
$db=mysql_select_db($dbname,$conn) or die(mysql_error());
$sql = "select * from member where UserName='".str_replace("'", "''", $_GET["u"])."' and Password='".str_replace("'", "''", $_GET["p"])."'";
$rs = mysql_query($sql);
if($rs && mysql_num_rows($rs) > 0){
$row = mysql_fetch_array($rs);
//establish the session
$_SESSION["UserName"] = $row["UserName"];
}
else {
//echo “Try to log in with wrong user/password.”;
$_SESSION[“Guest_UserName”] = Guest_UserName;
}
}
it does not use the if statement
You should really consider using PDO (PHP Data Object) which allows you to use prepared statements, or at least use the MySQLi functions and escape the the user entered data before inserting/querying it with the database.
A quick fix to your current code will be:
$u = mysql_real_escape_string($_GET['u']);
$p = mysql_real_escape_string($_GET['p']);
$conn=mysql_connect($server, $dbuser, $dbpass) or die(mysql_error());
$db=mysql_select_db($dbname,$conn) or die(mysql_error());
$sql = "SELECT * FROM member WHERE UserName = '{$u}' && Password = '{$p}' ";
$rs = mysql_query($sql);
if($rs && mysql_num_rows($rs) > 0){
$row = mysql_fetch_array($rs);
//establish the session
$_SESSION["UserName"] = $row["UserName"];
}
else {
//echo "Try to log in with wrong user/password.";
$_SESSION["Guest_UserName"] = Guest_UserName;
}
}
The above is still not a recommended way, you should really consider using PHP PDO, here is a very nice tutorial at: http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html
hi,
i tried your code but still did not apply the if statement.
or is there a way to allow special characters in this code, using words like <img src=“test.com/test.jpg”> wont insert:
$query = “UPDATE member SET htmlprofile = ‘$htmlcode’ WHERE UserName = ‘$myuser’”;
mysql_query($query);
I’m sure mysql_real_escape_string and PDO have been mentioned, repeatedly. 
Every… well, 2nd topic in the past few months has been about mentioning sanitizing the input before sending it to the database. Yet, these topics pop out on a daily basis - every single one the same. I’m not a person who dislikes others and I know there are newcomers to the programming in general, but I dislike indolence. It’s really not hard to google the problem or use the search facilities of this forum.
Or at least read some stickies, help yourself out before asking a solution to a problem solved a million times (literally, a million times).
