How to Login to Any Account on an Insecure Site
View Single Post
09-20-2007, 09:49 AM
Join Date: Apr 2007
Tanax, in your example the password is sent in a POST request (from a form) and fed (via mysql_escape_string) directly into the query. There are a couple of problems with that SQL query. Firstly, there are no quotes around where the password will go (
... WHERE `pass` = '%s'
) -- unless all of your passwords are numbers, that will cause problems. Secondly, you compare the
column in the database directly to the string sent through the POST request. You should never, ever, store passwords exactly as they are entered into forms (in "plain text"). Wildhoney has written about
password hashes, as well as one soon to be released on
. Finally, your query would be useless in any real terms because it would return a result if
password in the table matched what was POSTed. You must always match it against a parameter unique to each individual (user id number or similar). Oh, and you should use
to "print to a string" rather than the printf that you have there.
All that said, as far as "protecting" the actual value passed from POST that is a good start.
View Public Profile
Send a private message to Salathe
Visit Salathe's homepage!
Find More Posts by Salathe