rwwd Posted September 9, 2010 Share Posted September 9, 2010 Hi there people of the database forum, I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter anything into the md5() password part, I cannot understand why this is so: (all data to this point has been sanitised too ) "SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1"; Any ideas? Cheers, Rw Link to comment https://forums.phpfreaks.com/topic/212982-odd-behaviour-for-a-simple-select-or-is-my-logic-wrong/ Share on other sites More sharing options...
DavidAM Posted September 9, 2010 Share Posted September 9, 2010 AND takes precedence over OR - wrap the conditions in parenthesis: SELECT * FROM tester WHERE ( `name` = 'POSTED USER NAME' OR user_email = 'POSTED EMAIL') AND password = 'MD5 OF POSTED PASSWORD; The way you had it should have worked as long as the name was correct, since it would have been interpreted as [ name = POSTED OR (email = POSTED AND password = POSTED) ] Link to comment https://forums.phpfreaks.com/topic/212982-odd-behaviour-for-a-simple-select-or-is-my-logic-wrong/#findComment-1109275 Share on other sites More sharing options...
rwwd Posted September 9, 2010 Author Share Posted September 9, 2010 Hi there DavidAM, I shall just try the amended code & see what happens, fortunately this is for an intranet site & as yes on one has reported this to me [EDIT] Cheers, works like a treat Cheers, Rw Link to comment https://forums.phpfreaks.com/topic/212982-odd-behaviour-for-a-simple-select-or-is-my-logic-wrong/#findComment-1109281 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.