PHP Web App How to write user logins when there is an injection to prevent the login from being bypassed by injection

PHP Web App How to write user logins when there is an injection to prevent the login from being bypassed by injection

If the condition is not changed, do not reply to prevent injection

2 of the general wording
·
1
$sql = "SELECT * from user where user_name= $username and password= $password";
$res = $db _obj->get_one ($sql);
if ($res) {
Login successful
}
·
·
2
$sql = "SELECT * from user where user_name= $username";
$res = $db _obj->get_one ($sql);
if ($res [Password]==md5 ($password)) {
Login successful
}
·
The above 2 can be bypassed, to find a safe wording

Reply content:

PHP Web App How to write user logins when there is an injection to prevent the login from being bypassed by injection

If the condition is not changed, do not reply to prevent injection

2 of the general wording
·
1
$sql = "SELECT * from user where user_name= $username and password= $password";
$res = $db _obj->get_one ($sql);
if ($res) {
Login successful
}
·
·
2
$sql = "SELECT * from user where user_name= $username";
$res = $db _obj->get_one ($sql);
if ($res [Password]==md5 ($password)) {
Login successful
}
·
The above 2 can be bypassed, to find a safe wording

Now that there is an injection vulnerability, not only can logins be bypassed, but even your databases are unsafe. If you know your table structure, it's easy to insert an administrator account. So the key is to prevent injection, not inject later what to do.

The simplest
$sql = "SELECT * from user where user_name= '". Addslashes ($username). "'";

Is the general notation not to use ORM to read and write databases?
Handwritten SQL, which is inherently unsafe

Using PDO preprocessing statements

