Hey guys,
Could you help me understand how to implement
mysql_real_escape_string
to prevent injection in this code ?
<?php
if(loggedin()){
echo "You are already logged in.";
} else {
if($_POST['submit']){
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5($password);
$res = mysql_query("SELECT * FROM users WHERE username='$username'");
if(mysql_num_rows($res) == 0){
echo "Utilizator inexistent, click <a href='index.php?act=register'>aici</a> pentru inregistrare.";
exit();
}
$row = mysql_fetch_assoc($res);
if($row['password'] == $password) {
if(@$_POST['remember' == "on"]) {
setcookie('username', $username,time()+36000);
echo "You have been logged in,<a href='index.php'>click here</a> to continue.";
} else {
$_SESSION['username'] = $username;
echo "You have been logged in,<a href='index.php'>click here</a> to continue.";
}
} else {
echo "Incorrect password.";
}
}
} else {
?>