| Subject: | This class can be dangerous. |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 3 |
|---|
| Author: | Artur Graniszewski |
|---|
| Date: | 2010-08-24 13:27:35 |
|---|
| Update: | 2010-08-25 12:13:22 |
|---|
| |
|
|
Artur Graniszewski rated this package as follows:
| Utility: | Bad |
|---|
| Consistency: | Sufficient |
|---|
| Documentation: | Not sure |
|---|
| Examples: | Good |
|---|
|
|
 Artur Graniszewski - 2010-08-24 13:27:35 This class can be dangerous. If PHP is configured to magic_quotes_gpc = off every hacker can succesfully login without using valid password. The simple solution is to type in this username to login without password:
<existing_username>' --
So for example to login as admin, you should type in:
admin'--
(with single quote and two minuses at the end). This is called SQL injection (and this is the simple one;))
Next time try to use mysql_real_escape_string() to sanitize your input
 Saeed Ahmed - 2010-08-25 10:50:00 - In reply to message 1 from Artur Graniszewskithank you for your wise observation. did you try my class with magic_quotes_gpc=off
if you do this admin'-- without password then it will show "query could not executed"
anyway I plan to add those security matters. so thank you for review my class.
Saeed Ahmed - 2010-08-25 12:13:22 - In reply to message 1 from Artur Graniszewskichanges are made
|
