Possible Duplicate:
What is SQL injection?
I saw some where like they used code like
login=' or 1=1 -- & password=' or 1=1 --
to login to sites from front end. I was wondering how this code used to break the login.
Possible Duplicate:
What is SQL injection?
I saw some where like they used code like
login=' or 1=1 -- & password=' or 1=1 --
to login to sites from front end. I was wondering how this code used to break the login.
Example given by you exploits badly thought out code, where user input is not escaped and used in queries. Let's say there is a form with user and password fields (form.html), which passes values entered to php script (test.php). Assume user writes '' OR 1 =1-- in both fields
Code below does not escape user input. You should use mysql_real_escape_string() or parameterized queries to do that.
form.html:
<form method="POST" action="test.php">
<input type="text" name="login" value=""><br />
<input type="text" name="password" value=""><br />
<input type="submit"/>
</form>
test.php:
$name = $_POST['login'];
$pass = $_POST['password'];
echo $name . "<br />";
$sql= "SELECT * FROM users WHERE login = $name AND password = $pass ";
// $sql now contains this command:
// SELECT * FROM users WHERE login= '' OR 1=1-- AND password = '' OR 1 =1--
// condition OR 1=1 means that any row satisfies the query
// as long as there is at least 1 row in the table users, authorisation will be succcesful
echo $sql . "<br />";
$result=mysql_query($sql);