Basic SQL Injection
9 February, 2010 - 21:35
A login page has 2 input fields.
1. Username
2. Password
1 button that will post the form back to itself.
The code on the login page is as follows:
?php
if(isset($_POST["clicked"]))
{
$hostname = "localhost";
$database = "mydb";
$username = "me";
$password = "";
$dbcnx = mysql_connect($hostname, $username, $password) or die(mysql_error());
mysql_select_db($database, $dbcnx);
$query = "SELECT * FROM User WHERE Username = '" . $_POST["username"]. "' AND Password = '" . $_POST['password'] . "' ";
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_assoc($result))
{
$_SESSION["User"] = $row["UserId"];
header("Location: /Admin/Default.php")'
die();
}
$error = true;
}
?>
What's wrong with this?
What do you type into the username or password field to login as anyone you want without knowing a password.
---------------------
Note: ridiculously easy but i'm curious what kind of response this will get.