I have a PHP script that signs a user into my site when they enter the correct login credentials. However, I noticed that it is easy to inject this login by entering anything' OR 'x'='x into the password box.
How can I stop this from happening?
$query = "SELECT * FROM sm_editors WHERE email = '".$_POST['email']."' AND password = '".$_POST['password']."' AND user_type != 'reader-for-approval'";
You first need to sanitize the inputs to prevent this.
The function mysql_real_escape_string will remove any escape characters.
Take a look at What's the best method for sanitizing user input with PHP? question for more information.
You can use mysql_real_escape_string function on data you pass to your query or use prepared statements and stored procedures instead of old syntax.
$query = "SELECT * FROM sm_editors WHERE email = '".mysql_real_escape_string($_POST['email'])."' AND password = '".mysql_real_escape_string($_POST['password'])."' AND user_type != 'reader-for-approval'";
first you can use mysql_real_escape_string to escape the string.
But a better way would be, when you would prepare your SQL string before you execute it. Have a look at PHP PDO MySQL connector. There you have some methods to prepare your string.
$s = $pdo->prepare('SELECT * FROM table WHERE field1 = :value');
$s->execute(array(':value' => $value));
hava a look at http://www.php.net/manual/de/pdo.prepared-statements.php
