UnitedForums.co.uk - View Single Post

fluxman · 7th July 2008, 11:01 PM

in case anybody doesn't know, if you don't use mysql_real_escape string, then you can hack into password protected areas using a username/password of

Code:

' or ''='

or

Code:

' or 1=1; --

and you can even insert malicious sql statement that delete tables etc.

I was bored one morning and tried to find websites I could "hack into" using the most basic mysql attacks...I found three in my local area alone.. :S good fun tho!

(not that i'm trying to promote malicious hacking, but if you're not aware of at least the above, then you shouldn't be charging for making websites with password protected sections!)

7th July 2008, 11:01 PM	#4 (permalink)
fluxman Registered User Join Date: Nov 2005 Posts: 123	in case anybody doesn't know, if you don't use mysql_real_escape string, then you can hack into password protected areas using a username/password of Code: ' or ''=' or Code: ' or 1=1; -- and you can even insert malicious sql statement that delete tables etc. I was bored one morning and tried to find websites I could "hack into" using the most basic mysql attacks...I found three in my local area alone.. :S good fun tho! (not that i'm trying to promote malicious hacking, but if you're not aware of at least the above, then you shouldn't be charging for making websites with password protected sections!)