Mailit, LLC a écrit :
$userName = $_POST[userName];
$passw= $_POST[passw];
(...)
$cmd = SELECT * FROM theTable
. WHERE userName='$userName' ;
$res = mysql_query( $cmd ) or die( Password search failed. );
Without validating userName in $_POST, that code is vulnerable
to
---BeginMessage---
Here is the setup that I have used.
Please, adapt to your needs.
Table 'theTable' is supposed to contain columns fname, mname, lname
and ePass (encrypted password). The crypt() function produces a password
that
cannot be decrypted and really works well.
Of course, you need to
2 matches
Mail list logo