Welcome to WebmasterWorld Guest from 54.221.54.252

Forum Moderators: open

Message Too Old, No Replies

Odd issue with a SELECT query.

     
5:49 pm on Sep 9, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 22, 2009
posts:1396
votes: 0


Hi there people of the database forum,

I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter snything into the md5() password part, I cannot understand why whi is so:

"SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1";

Any ideas?

Cheers,
MRb
6:26 pm on Sept 9, 2010 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5628
votes: 48


Some parens would be helpful:
"SELECT * FROM `tester` WHERE (`name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."') AND `password` = '".md5($_POST['password'])."' LIMIT 1";
6:40 pm on Sept 9, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 22, 2009
posts:1396
votes: 0


Hi there lifeinAsia,

Thanks for that, I should have known this really, I guess it's because it has been a long day!

Cheers,
MRb
1:36 am on Sept 13, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 31, 2005
posts:1108
votes: 0


I hope you are also making sure those POST parameters are clean ones before using them, otherwise you are leaving yourself open to SQL Injection attacks.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members