Welcome to WebmasterWorld Guest from 54.242.94.72

Forum Moderators: open

Message Too Old, No Replies

Odd issue with a SELECT query.

     

Matthew1980

5:49 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Hi there people of the database forum,

I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter snything into the md5() password part, I cannot understand why whi is so:

"SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1";

Any ideas?

Cheers,
MRb

LifeinAsia

6:26 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Some parens would be helpful:
"SELECT * FROM `tester` WHERE (`name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."') AND `password` = '".md5($_POST['password'])."' LIMIT 1";

Matthew1980

6:40 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Hi there lifeinAsia,

Thanks for that, I should have known this really, I guess it's because it has been a long day!

Cheers,
MRb

Dijkgraaf

1:36 am on Sep 13, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I hope you are also making sure those POST parameters are clean ones before using them, otherwise you are leaving yourself open to SQL Injection attacks.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month