Below is my PHP code for login page.
if(!$_POST["username"] || !$_POST["password"])
{
echo "Username and Password fields are mandatory.";
}
else
{
$query="select user_id from users where user_name='".$_POST["username"]."' and password='".md5($_POST["password"])."' ";
.....
.....
}
I think, this is vulnerable code for SQL Injection. What should I modify in this code to prevent SQL Injection to my MYSQL database?
I am using following code to connect to my MySQL database:
function connect_database()
{
$con = mysqli_connect("servername", "username", "", "dbname");
if (!$con)
{
$con = "";
echo("Database connection failed: " . mysqli_connect_error());
}
return $con;
}
I am trying to use mysqli_prepare, but getting errors:
$unsafe_username = $_POST["username"];
$unsafe_password = md5($_POST["password"]);
$query=mysqli_prepare("select user_id from users where user_name= ? and password= ? ");
$query->bindParam("ss", $unsafe_username, $unsafe_password);
$query->execute();
I got following error:
Warning: mysqli_prepare() expects exactly 2 parameters, 1 given
Fatal error: Call to a member function bindParam() on null