Welcome to WebmasterWorld Guest from 54.163.94.5

Forum Moderators: open

Message Too Old, No Replies

Odd issue with a SELECT query.

     
5:49 pm on Sep 9, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 22, 2009
posts:1396
votes: 0


Hi there people of the database forum,

I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter snything into the md5() password part, I cannot understand why whi is so:

"SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1";

Any ideas?

Cheers,
MRb
6:26 pm on Sept 9, 2010 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5634
votes: 51


Some parens would be helpful:
"SELECT * FROM `tester` WHERE (`name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."') AND `password` = '".md5($_POST['password'])."' LIMIT 1";
6:40 pm on Sept 9, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 22, 2009
posts:1396
votes: 0


Hi there lifeinAsia,

Thanks for that, I should have known this really, I guess it's because it has been a long day!

Cheers,
MRb
1:36 am on Sept 13, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 31, 2005
posts:1108
votes: 0


I hope you are also making sure those POST parameters are clean ones before using them, otherwise you are leaving yourself open to SQL Injection attacks.