Well, I don't want this to be a question about hacking tips, so please don't vote for it. I work in an online store, and I found that some of our old PHP pages are vulnerable to SQL injection in the username and want to know how bad this is.
We use the PHP string to embed user input from POST into the login form.
$uname = $_POST['username']; $pass = md5($_POST['pass']); $sql = "SELECT * FROM users WHERE username='$uname' AND password='$pass' AND userlevel='user'"; ...
then I run the query.
Now, I am not an expert on SQL, I just use what I can put together on phpMyAdmin. But I was able to log in without a username, instead using:
' OR 1 '
I know that to avoid user input, I use mysql_real_escape_string .
My question is: how vulnerable is this code, and someone can enter this page and do not need a password? I think maybe they donโt need a username, but they can only go too far. But I'm not a SQL guru, and I'm wondering if some tricks can be used against us.
We use MySQL.
And please, I donโt need lectures on checking input, I know how bad this is. We have to do many things, such as timeouts and locks on our page, so that it cannot be rude.
source share