| Odd issue with a SELECT query.
|
Matthew1980
msg:4199563 | 5:49 pm on Sep 9, 2010 (gmt 0) |
Hi there people of the database forum,
I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter snything into the md5() password part, I cannot understand why whi is so:
"SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1";
Any ideas?
Cheers,
MRb
|
LifeinAsia
msg:4199588 | 6:26 pm on Sep 9, 2010 (gmt 0) |
Some parens would be helpful:
"SELECT * FROM `tester` WHERE (`name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."') AND `password` = '".md5($_POST['password'])."' LIMIT 1";
|
Matthew1980
msg:4199593 | 6:40 pm on Sep 9, 2010 (gmt 0) |
Hi there lifeinAsia,
Thanks for that, I should have known this really, I guess it's because it has been a long day!
Cheers,
MRb
|
Dijkgraaf
msg:4200969 | 1:36 am on Sep 13, 2010 (gmt 0) |
I hope you are also making sure those POST parameters are clean ones before using them, otherwise you are leaving yourself open to SQL Injection attacks.
|
|
|
