SHARE

<?php
$user="<div>spam spam</div>";
$password="<div>spam spam</div>";
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
echo $query;
?>

Mysql command will be:

SELECT * FROM users WHERE user='
 ' AND password='
 '
<?php
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);
$_POST['username'] = 'tutorialspots';
$_POST['password'] = "' OR ''='";
echo $query;
?>

Mysql command will be:

SELECT * FROM users WHERE user='tutorialspots' AND password='' OR ''=''

With this command will cause one user login without the correct password.
=> use mysql_real_escape_string to prevent the following:

<?php
$_POST['username'] = 'tutorialspots';
$_POST['password'] = "' OR ''='";
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", 
             mysql_real_escape_string($_POST['username']), 
             mysql_real_escape_string($_POST['password']));
echo $query;
mysql_query($query);
 ?>

Mysql command will be:

SELECT * FROM users WHERE user='aidan' AND password='\' OR \'\'=\''

Notice: you should use function getEscaped below instead of mysql_real_escape_string

function getEscaped( $text ) {
	/*
	* Use the appropriate escape string depending upon which version of php
	* you are running
	*/
	if (version_compare(phpversion(), '4.3.0', '<')) {
		$string = mysql_escape_string($text);
	} else 	{
		$string = mysql_real_escape_string($text);
	}
	
	return $string;
}

NO COMMENTS