php q
php q
Out of context: Reply #19
- Started
- Last post
- 23 Responses
- justjeff0
The PHP code on that website is horrible code - completely insecure and fundamentally broken.
The session variables aren't being set correctly because it never calls session_start() ( http://us2.php.net/session_start… ), and it doesn't escape the POST input to prevent against SQL injection (if you entered a password similar to "x' OR password='%'", you'd automatically be logged in becaue the ' isn't escaped, so the OR statement is executed as SQL, allowing any password to match, granting access.
Please, I know it costs money, but if you're making a website and need PHP, hire someone who knows what they're doing. You wouldn't encourage a developer to butcher a design, don't expect the other way around to be any different .