rwwd Posted September 9, 2010 Share Posted September 9, 2010 Hi there people of the database forum, I don't often post on here, but this little query has me concerned, what have I done wrong, I can't see anything, but so long as the username & email are filled out, it appears that you could enter anything into the md5() password part, I cannot understand why this is so: (all data to this point has been sanitised too ) "SELECT * FROM `tester` WHERE `name` = '".$_POST['username']."' OR `user_email` = '".$_POST['username']."' AND `password` = '".md5($_POST['password'])."' LIMIT 1"; Any ideas? Cheers, Rw Quote Link to comment Share on other sites More sharing options...
DavidAM Posted September 9, 2010 Share Posted September 9, 2010 AND takes precedence over OR - wrap the conditions in parenthesis: SELECT * FROM tester WHERE ( `name` = 'POSTED USER NAME' OR user_email = 'POSTED EMAIL') AND password = 'MD5 OF POSTED PASSWORD; The way you had it should have worked as long as the name was correct, since it would have been interpreted as [ name = POSTED OR (email = POSTED AND password = POSTED) ] Quote Link to comment Share on other sites More sharing options...
rwwd Posted September 9, 2010 Author Share Posted September 9, 2010 Hi there DavidAM, I shall just try the amended code & see what happens, fortunately this is for an intranet site & as yes on one has reported this to me [EDIT] Cheers, works like a treat Cheers, Rw Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.