Question
guys,I am new to mysql security,and when I search this issue on google,lots of people are warning that we should check the mysql string to see if it contains ' or not,otherwise you are at the risk of getting mysql database injected,but they didn't tell why?can you please tell me the reason? thank you very much.
Solution
Imagine you have a user table and a login form. Usually when a user logs in you want to determine whether he has an account:
THIS IS VERY BAD PHP:
https://stackoverflow.com/questions/15407267
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian"SELECT * FROM users WHERE username = '$username' AND password = MD5('$password');"
Now you have a user with the username
1';DROP TABLE users;#
What would happen?
