Welcome to WebmasterWorld Guest from 54.205.251.179

Forum Moderators: open

Message Too Old, No Replies

Odd issue with a SELECT query.

   
5:49 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Hi there people of the database forum,

I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter snything into the md5() password part, I cannot understand why whi is so:

"SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1";

Any ideas?

Cheers,
MRb
6:26 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Some parens would be helpful:
"SELECT * FROM `tester` WHERE (`name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."') AND `password` = '".md5($_POST['password'])."' LIMIT 1";
6:40 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Hi there lifeinAsia,

Thanks for that, I should have known this really, I guess it's because it has been a long day!

Cheers,
MRb
1:36 am on Sep 13, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I hope you are also making sure those POST parameters are clean ones before using them, otherwise you are leaving yourself open to SQL Injection attacks.