Safe code for SQL Injection using mysql_*

Question

I just want to know if there's a way of making your code using mysql_* safe for SQL Injection.

I have this code inside my log.php:

$username = $_POST['username'];
$password = $_POST['password'];
$status = $_POST['status'];

include("conn.php");

if($username && $password)
{
    $query = mysql_query("SELECT * FROM student_users WHERE username='$username'");
    if($query!=0)
    {
        while($rows = mysql_fetch_assoc($query))
        {
            $db_username = $rows['username'];
            $db_password = $rows['password'];
        }

        if($username == $db_username && $password == $db_password)
        {
            header("location: stud.php");
            $_SESSION['username'] = $db_username;
            $_SESSION['stud_num'] = $db_stud_num;
            break;
        }       
    }
}

How can I test this for SQL Injection?

I found a out some ideas that http://127.0.0.1/test/index.php?username=%27%20or%201=1%20/*&password=1 can use to test my website for SQL injection vulnerabilities. But doesn't worked.

I also try typing inside the input fields 1 OR 1 = 1; -- 1 OR 1 = 1; -- but still doesn't work.

I know that it maybe because of the condition I set inside my code but how can I know other hackers strategy for SQL Injection?

maybe just give me some easy-to-use tools for testing local websites.

Thanks for enlightening me :D

Answer 1

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$status = mysql_real_escape_string($_POST['status']);


 $query = mysql_query("SELECT * FROM student_users WHERE username='$username'");

Answer 2

Try not using mysql_* code. If you have beginning of the project rewrite all code to mysqli or PDO. (PDO is better.)

If you want to use mysql_* use mysql_real_escape_string in all input field.

You can read more Here