This class can be dangerous.

Recommend this page to a friend!

      Simple login and database module  >  All threads  >  This class can be dangerous.  >  (Un) Subscribe thread alerts  
Subject:This class can be dangerous.
Summary:Package rating comment
Messages:3
Author:Artur Graniszewski
Date:2010-08-24 13:27:35
Update:2010-08-25 12:13:22
 

Artur Graniszewski rated this package as follows:

Utility: Bad
Consistency: Sufficient
Documentation: Not sure
Examples: Good

  1. This class can be dangerous.   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2010-08-24 13:27:35
This class can be dangerous. If PHP is configured to magic_quotes_gpc = off every hacker can succesfully login without using valid password. The simple solution is to type in this username to login without password:

<existing_username>' --

So for example to login as admin, you should type in:

admin'--

(with single quote and two minuses at the end). This is called SQL injection (and this is the simple one;))

Next time try to use mysql_real_escape_string() to sanitize your input


  2. Re: This class can be dangerous.   Reply   Report abuse  
Picture of Saeed Ahmed Saeed Ahmed - 2010-08-25 10:50:00 - In reply to message 1 from Artur Graniszewski
thank you for your wise observation. did you try my class with magic_quotes_gpc=off
if you do this admin'-- without password then it will show "query could not executed"

anyway I plan to add those security matters. so thank you for review my class.

  3. Re: This class can be dangerous.   Reply   Report abuse  
Picture of Saeed Ahmed Saeed Ahmed - 2010-08-25 12:13:22 - In reply to message 1 from Artur Graniszewski
changes are made

 

For more information send a message to info at phpclasses dot org.