the $user contains exactly the stuff the user sent from the form. so in this line:
Code
$query = mysql_query("SELECT * FROM users WHERE username='$user'");
the written stuff gets exactly at that position. if you write the right thing, you can do bad stuff...
here's the link where's nearly the same situation as you got it:
http://en.wikipedia.org/wiki/SQLinjectionwhen you scroll down to the "Escaping", you can nearly copy the code:
Code
$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
the harmful stuff sent by the formular gets harmless in the function "mysql_real_escape_string(...)". so if you first put your string together with this function inside a sprintf, then you can use your crafted string which is harmless.
Thank you, much appreciated.
in addition one way to get around sql injections is to find a filter class and attach that filter to all posts,gets and echos