First, a reminder to several (including some in this thread) that
top-posting is against the law here.
On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@xxxxxxxxx> wrote:
> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
> .'\'))';
Second, another, more important reminder:
<?php
$username = '" OR 1 OR "';
?>
Since the first rows in a database are usually the default
administrator logins, the first to match what is basically a 'match if
this is a row' statement will be logged in. The moral of the story:
don't forget to clean your input (which I'm sure ya'all were doing....
but with top-posters, you never know ;-P).
--
</Daniel P. Brown>
daniel.brown@xxxxxxxxxxxx || danbrown@xxxxxxx
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
