1. Home
  2. Forums Index
  3. Server Side / Databases 2:52 am May 21, 2026

Forum Moderators: open

Message Too Old, No Replies

Odd issue with a SELECT query.

         

Matthew1980

5:49 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there people of the database forum,

I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter snything into the md5() password part, I cannot understand why whi is so:

"SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1";

Any ideas?

Cheers,
MRb

LifeinAsia

6:26 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Some parens would be helpful:
"SELECT * FROM `tester` WHERE (`name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."') AND `password` = '".md5($_POST['password'])."' LIMIT 1";

Matthew1980

6:40 pm on Sep 9, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there lifeinAsia,

Thanks for that, I should have known this really, I guess it's because it has been a long day!

Cheers,
MRb

Dijkgraaf

1:36 am on Sep 13, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I hope you are also making sure those POST parameters are clean ones before using them, otherwise you are leaving yourself open to SQL Injection attacks.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Databases 2:52 am May 21, 2026