This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hello Everyone, i created a login page, but i am facing some difficulties into that.
my login page is working but in two attempts. i mean when i m trying to login using, it's not logged in and giving me again the login page, but when i am trying to login second time with the same username an password, it's logged in/working.
can anyone tell me the problem, here is my code:
If I post username ' OR '1'='1, your query becomes SELECT `id` FROM `users` WHERE `username`= '' OR '1' = '1' AND `password`= 'whatever here'. As a result (the OR taking precedence if I recall correctly), all records will be returned and I will definitely be able to login. That's just a "harmless" use. With the right input you can delete records, or even drop entire tables. Use mysql_real_escape_string or casting to numbers on every single value you use in any query.