|
Posted by Christophe Chisogne on 02/18/05 11:01
Mailit, LLC a écrit :
> $userName = $_POST[userName];
> $passw = $_POST[passw];
> (...)
> $cmd = "SELECT * FROM theTable "
> . "WHERE userName='$userName' ";
> $res = mysql_query( $cmd ) or die( "Password search failed." );
Without validating userName in $_POST, that code is vulnerable
to SQL injection, by example if userName starts by a single quote...
See the PHP Security Guide on 'SQL Injection'
http://phpsec.org/projects/guide/3.html#3.2
> $passe = crypt( $passw, $rec[ePass] );
> if( $passe == $rec[ePass] )
I seems that the above vulnerability cant be exploited,
but I think it's better to be aware of it.
Christophe
[Back to original message]
|