On 7/1/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
$LoginName = $_POST['Username']; //Get user id from the login form
$LoginPass = $_POST['Password']; //Get user password from the login
form
//Search in a table for valid users: Customer_Table
$Query = "SELECT `LoginNameCol`, `PasswordCol` FROM `Customer_Table`
WHERE `LoginNameCol` = '$LoginName' AND
`PasswordCol` = '$LoginPass' ";
$Result = mysql_query($Query);
Unfortunately your script allows anyone to log in, because you're not
escaping user input before sending it to MySQL.
If $_POST['Password'] is "foo' OR '1'='1", the query will always
return a result, and the user will be logged in.
Please always remember to use mysql_real_escape_string() on
user-submitted values before using them in a MySQL query.
Perhaps your application is deployed in an environment that has
magic_quotes turned on, in which case it won't be vulnerable to the
example attack, but it is considered bad form to rely on that feature.
--
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
