For the benefit of general PHP/MySQL scripters (and without having looked through this particular script's source), I would suggest a few precautions that anyone should take:
- Make sure that single quotes, double quotes and backslashes can't
get into your queries - either by removing them, or escaping them —
addslashes(), stripslashes(),
mysql_real_escape_string(), etc. - Limit the size of strings that your users can input - in cases like
username and password, set a maximum length of, say, 8 characters, and
truncate input strings at that limit (or reject them). That limits
the scope for tacking on things like
"AND 1=1"to the end of user names. - Catch errors to a log to which users do not have access - they only
need to know that 'an error occured', and not that it occured in the
query
"SELECT foo FROM baa WHERE shamalama = 'dingdong'", information that may be useful to an attacker.