Possible Duplicate:
What is SQL injection?
I saw some where like they used code like
login=' or 1=1 -- & password=' or 1=1 --
to login to sites from front end. I was wondering how this code used to break the login.
Asked
Active
Viewed 2,713 times
2 Answers
2
Example given by you exploits badly thought out code, where user input is not escaped and used in queries. Let's say there is a form with user and password fields (form.html), which passes values entered to php script (test.php). Assume user writes '' OR 1 =1-- in both fields
Code below does not escape user input. You should use mysql_real_escape_string() or parameterized queries to do that.
form.html:
<form method="POST" action="test.php">
<input type="text" name="login" value=""><br />
<input type="text" name="password" value=""><br />
<input type="submit"/>
</form>
test.php:
$name = $_POST['login'];
$pass = $_POST['password'];
echo $name . "<br />";
$sql= "SELECT * FROM users WHERE login = $name AND password = $pass ";
// $sql now contains this command:
// SELECT * FROM users WHERE login= '' OR 1=1-- AND password = '' OR 1 =1--
// condition OR 1=1 means that any row satisfies the query
// as long as there is at least 1 row in the table users, authorisation will be succcesful
echo $sql . "<br />";
$result=mysql_query($sql);
afaf12
- 4,648
- 7
- 33
- 55