[nycphp-talk] (no subject)
csnyder
chsnyder at gmail.com
Mon Jul 2 12:05:09 EDT 2007
On 7/1/07, tuon1 at netzero.net <tuon1 at netzero.net> wrote:
>
> $LoginName = $_POST['Username']; //Get user id from the login form
> $LoginPass = $_POST['Password']; //Get user password from the login
> form
>
>
> //Search in a table for valid users: Customer_Table
> $Query = "SELECT `LoginNameCol`, `PasswordCol` FROM `Customer_Table`
> WHERE `LoginNameCol` = '$LoginName' AND
> `PasswordCol` = '$LoginPass' ";
> $Result = mysql_query($Query);
Unfortunately your script allows anyone to log in, because you're not
escaping user input before sending it to MySQL.
If $_POST['Password'] is "foo' OR '1'='1", the query will always
return a result, and the user will be logged in.
Please always remember to use mysql_real_escape_string() on
user-submitted values before using them in a MySQL query.
Perhaps your application is deployed in an environment that has
magic_quotes turned on, in which case it won't be vulnerable to the
example attack, but it is considered bad form to rely on that feature.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list