I have a website where I use PHP in server side and mysql as database. I use the following script to retrieve data from database. Could anybody let me know whether this code is vulnerable to injection attack? If so could you please give a solution?
<?php
// PHP script
$usrname=$_POST['usrname'];
$_SESSION['usremail']=$usrname;
$usrpassword=$_POST['passwd'];
$db=mysql_select_db('mydb',$connection);
$result=mysql_query("select usrfname,usrlname from userinformation where usremail='$usrname' and usrpassword='$usrpassword'") or die('failed to login');
Any help is greatly appreciated.
Thanks