<?php $mysql = array(); $db = mysqli_init(); $db->real_connect('localho

1. <?php
2. $mysql = array();
3.  
4. $db = mysqli_init();
5. $db->real_connect('localhost', 'myuser', 'mypass', 'mydb');
6.  
7. /* SQL Injection Example */
8. $_POST['username'] = chr(0xbf) .
9. chr(0x27) .
10. ' OR username = username /*';
11. $_POST['password'] = 'guess';
12.  
13. $mysql['username'] = addslashes($_POST['username']);
14. $mysql['password'] = addslashes($_POST['password']);
15.  
16. $sql = "SELECT *
17. FROM users
18. WHERE username = '{$mysql['username']}'
19. AND password = '{$mysql['password']}'";
20.  
21. $result = $db->query($sql);
22.  
23. if ($result->num_rows) {
24. /* Success */
25. } else {
26. /* Failure */
27. }
28.  
29. ?>