First, a reminder to several (including some in this thread) that
top-posting is against the law here.

On Wed, Jul 8, 2009 at 09:48, Martin Scotta<> wrote:
> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
> .'\'))';

    Second, another, more important reminder:

$username = '" OR 1 OR "';

    Since the first rows in a database are usually the default
administrator logins, the first to match what is basically a 'match if
this is a row' statement will be logged in.  The moral of the story:
don't forget to clean your input (which I'm sure ya'all were doing....
but with top-posters, you never know ;-P).

</Daniel P. Brown> || ||
Check out our great hosting and dedicated server deals at

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to