php_nub_qq Posted April 27, 2013 Share Posted April 27, 2013 Hi, can you tell me why this code always returns the ID when the inputted password is blank, although the real password is not a blank field SELECT `id` FROM `users` WHERE `email`='email@gmail.com' AND `password`='' Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/ Share on other sites More sharing options...
n1concepts Posted April 27, 2013 Share Posted April 27, 2013 You are matching on an empty search for the password column. If you don't want to find results on query where 'password' column is NOT empty, then adjust your query to: SELECT `id` FROM `users` WHERE `email`='email@gmail.com' AND `password`!='' Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426856 Share on other sites More sharing options...
mac_gyver Posted April 27, 2013 Share Posted April 27, 2013 how do you know you are matching a row/getting the ID when the entered password is blank? Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426868 Share on other sites More sharing options...
n1concepts Posted April 27, 2013 Share Posted April 27, 2013 (edited) You wouldn't if it was for the 'email' clause in question and that 'email' password NOT blank... How about helping the person who's asking the question with actual help to resolve his issue than just wanting to post a 'question' of no value - 'give creditable advise, if you have it, or...' SMILE Edited April 27, 2013 by n1concepts Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426879 Share on other sites More sharing options...
Jessica Posted April 27, 2013 Share Posted April 27, 2013 (edited) You wouldn't if it was for the 'email' clause in question and that 'email' password NOT blank... How about helping the person who's asking the question with actual help to resolve his issue than just wanting to post a 'question' of no value - 'give creditable advise, if you have it, or...' SMILE He WAS asking the OP, not you. The OP is claiming that the query is returning results he feels are impossible. The question is how do you know it's returning results? The point being, the problem may be with your code that is making you think it returned something. How about you don't tell other people what to post, and let the moderators deal with it if there's an actual problem. Our rules state this. And since you're so keen on helping the OP, maybe you should re-read the post. Your query is even further from what he wants. You have not provided anything of value to this thread. Edited April 27, 2013 by Jessica Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426880 Share on other sites More sharing options...
n1concepts Posted April 27, 2013 Share Posted April 27, 2013 Not a problem at all - I'll just become a passive viewer from this point forward but that helps no one ... You can kill my account if I'm being taken negative (not the intention). Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426881 Share on other sites More sharing options...
php_nub_qq Posted April 27, 2013 Author Share Posted April 27, 2013 (edited) Well I know it's returning an ID because I'm running this query in mysql directly. I am positive that the password of this user is not blank and still if I try to log in with a blank password field it logs in ( the query passes because it returns an ID which sets mysqli num_rows property to greater than 0 ). I tried this with other users and it returns wrong password ( doesn't return an ID ), just with this specific user the query passes without a password. This is really weird Edited April 27, 2013 by php_nub_qq Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426886 Share on other sites More sharing options...
Jessica Posted April 27, 2013 Share Posted April 27, 2013 Do a select * on the user id. What is returned? Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426887 Share on other sites More sharing options...
PaperTiger Posted April 28, 2013 Share Posted April 28, 2013 The password must be blank, otherwise it wouldn't work. Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426899 Share on other sites More sharing options...
php_nub_qq Posted April 28, 2013 Author Share Posted April 28, 2013 Do a select * on the user id. What is returned? All columns appear The password must be blank, otherwise it wouldn't work. The password is asdasd I can just delete this user but I'm really curious why this is happening and if it could happen again in future O.o Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426933 Share on other sites More sharing options...
mac_gyver Posted April 28, 2013 Share Posted April 28, 2013 actually, do a SELECT * FROM `users` WHERE `email`='email@gmail.com' and post what you get as a result so that we can see it too (alter the posted email address if it is a real one), to help in finding out why what you are doing isn't working. posting your table definition and your actual code that is forming and running the query would help too. you either have one or more rows with that email address in it and have a row with an empty password in it that the query is directly matching or you have a row with a password value containing characters in it that are being converted to a value so that it matches an empty string. it's also possible that both your actual code and the method you are using to run the query directly in mysql (you haven't shown your code or stated how you are directly running the query) is causing a conversion that matches a row (see the following thread where someone was matching all values in a column because of a character column being treated as/converted to a number for the comparison - http://forums.phpfreaks.com/topic/276881-mysqli-update-using-placeholders/ ) to help you to find the cause of the problem we need to know and have all the information, code, data, that you have about the the problem. Quote Link to comment https://forums.phpfreaks.com/topic/277360-blank-password-always-pass/#findComment-1426939 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.