17.08.2012, 20:00
You should also use mysql_real_escape_string when you're dealing with custom inputs.
Sorry to be picky but you'll thank me when someone tries to wipe your database with SQL injection.
Also, you can use $_POST straight away, you don't need to load it in to another string, see the difference:
in comparison to what you had before:
And also you don't really need to make a string for your mysql query, but I'll stop there.
PHP код:
<?php
$con = mysql_connect("-Private-","-Private-","-Private");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("ThomasRdb", $con);
$pwhash = hash('whirlpool', $_POST[password]);
$sql="INSERT INTO accounts (id, Username, Key, Email)
VALUES
('','" . mysql_real_escape_string($_POST[charactername]) . "', " . $pwhash . ",'" . mysql_real_escape_string($_POST[email]) . "')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "Your account has been made!";
mysql_close($con);
?>
Also, you can use $_POST straight away, you don't need to load it in to another string, see the difference:
PHP код:
$pwhash = hash('whirlpool', $_POST[password]);
PHP код:
$pwhash = $_POST[password];
$pwhash = hash('whirlpool', $pwhash);