Kezzer,
As TheAnimus has illustrated, you need to protect your web based application from SQL injection attacks. It's often over looked so I wouldn't be so downtrodden. In a nutshell you need to treat all data obtained from the user as 'tainted' and mitigate any risks that may arise from processing it. One way of protecting your application is to validate all data sent to the web application.
The first step to protect your login system is to validate the input from the user, in:
* If you username/password field in the DB is 10 chars long then, then check that what the user has sent 10 characters.
* If more than 10 characters have been sent, truncate the variable to 10 characters.
A second way of validating your users input is to check that only alphanumeric characters have been sent. Why would a user need to have SQL code in their username? You could employ something like this in you code:
Code:
if (preg_match("/^\w{0,10}$/", $_GET['username'], $matches)) {
$result = mysql_query("SELECT * FROM users WHERE username=$matches[0]");
}
Else {
echo "Your username contained invalid characters";
}
A third way would be for you to formulate your SQL queries correctly. I've taken your code as an example and modified to best practices. As a rule of thumb double quotes should surround variable data.
Code:
$sql = mysql_query('SELECT user_table WHERE username = "$username"');
OR
$sql = mysql_query("SELECT user_table WHERE username = = \"$username\" ");
(\" is an escape quote....)
And final to answer you question about functions or libraries to make your life easier, there is one that comes to mind on this... Look up the mysql_real_escape_string()function in the php manual.
Basically try this:
Code:
$result = mysql_query('user_table WHERE username="'.mysql_real_escape_string($_GET['username']).'"');
The mysql_real_escape_string() basically will prevent anything from being interpreted after the Where clause.