This is my code
$query = "SELECT * FROM users WHERE email='".mysqli_real_escape_string($link, $_POST['loginemail'])."'AND
password='".md5(md5($_POST['loginemail']) .$_POST['loginpassword']). "'LIMIT 1";
In my text editor, the AND and LIMIT commands show up as strings. I cannot figure out why. Can anyone help?
I think its Sublime problem, CMIIW, if it realy matter for you you can change the code like this..
$email = mysqli_real_escape_string($link, $_POST['loginemail']);
$password = md5(md5($_POST['loginemail']) .$_POST['loginpassword']);
$query = "SELECT * FROM users WHERE email='$email' AND
password='$password' LIMIT 1";
Note: I assume it's php code..
Related
For my site there is a loginsystem where you need to login with your emailadress, but the problem is that my query gives an error when I start writing my emailadress whenever I use a point.
Here is my query:
$sql = "SELECT LeerlingID FROM tblLeerlingen WHERE email = '$myusername' and Wachtwoord = '$mypassword'";
Simply wrap your strings properly:
SELECT LeerlingID FROM tblLeerlingen WHERE email = 'gregoor.maarten.mg#gmail.com' and Wachtwoord = '0dc22c6a909acf658232f6a38e780d7b';
I'm testing some SQL stuff on sqlzoo.net/hack and I'm not getting why
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '__w%') AND ''='
does work for the SQL injection and
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '__w%')
not. Why is it necessary to put this last
AND ''='
?
Also i guess that these SQL injections are very 'old' and won't work. Are there newer methods and are there sites where someone can learn this?
Thanks in advance.
Because you need to close the '.
The code that checks for the password may be something like this:
"SELECT * FROM usersPassword where password = '" + TEXTINPUT + "';"
If you want to simply go in, ' OR ''=' will do the job.
The complete query will be
"SELECT * FROM usersPassword where password = '' OR ''='';"
which is an always true condition.
The example on the website does something more. It checks how the password of a certain user look like, if a certain character is present you will know by the fact that you're able to log in.
EDIT:
In your case the final query will be
"SELECT * FROM usersPassword where password = '' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''=''"
if you don't put the AND
"SELECT * FROM usersPassword where password = '' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%')'" ----> which does not close !
I think it is because it will concat to the input parameter which mean that your first query will be
OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='' OR''='{somevalue}'
which always true
okay i have got this sql statement which someone helped me on here to make this statement the only problem im facing that i want catDesc from te_category table to be appear on my 'Category' table on main page but instead of that i'm getting catID from te_events
This is the code i got from stackoverflow.
$sql = "SELECT * FROM te_events
JOIN te_venue
ON te_venue.venueID = te_events.venueID
WHERE te_events.eventID = $eventID";
this my te_event table screenshot http://prnt.sc/d8e7i1
this is my te_category screenshot http://prntscr.com/d8e87e
I have tried anything but couldn't get what i want please HELP !
use this query:
$sql = "SELECT * FROM te_events
JOIN te_venue
ON te_venue.venueID = te_events.venueID
JOIN te_category ON te_category.catID = te_events.catID
WHERE te_events.eventID = $eventID";
I have a raw query in Symfony2
$sql = "SELECT * FROM Content
JOIN ContentLearningAreas ON Content.id = ContentLearningAreas.content_id
JOIN LearningArea ON ContentLearningAreas.learning_area_id = LearningArea.id
WHERE ContentLearningAreas.learning_area_id = {$id} AND Content.active = 1";
$stmt = $this->getEntityManager()->getConnection()->prepare($sql);
$stmt->execute();
return $stmt->fetchAll();
This works fine, but I wish to cast the results to Content Entities so that their functions still work.
Jake\NameOfBundle\Entity\Content
How can this be done?
EDIT
It appears that this is using PDO and not Doctrine or Symfony2.
Please read about Native Query in doctrine 2.
With NativeQuery you can execute native SELECT SQL statements and map
the results to Doctrine entities or any other result format supported
by Doctrine.
This works;
$stmt = $this->getEntityManager()->getConnection()->prepare($sql);
$stmt->execute();
$items = $stmt->fetchAll(\PDO::FETCH_CLASS, "Jake\NameOfBundle\Entity\Content");
How to use variables declared in the asp VB can be used in the SQL statement for classic ASP?
Problem:
I have a variable
dim username
username = Request.Form("username")
Now I want to use this variable in where clause in the sql statement as shown below:
adoRS.Source = "SELECT * FROM admin WHERE username= //This is where I want this variable to be..
What is the right syntax? Thankyou
dim username
username = Request.Form("username")
adoRS.Source = "SELECT * FROM admin WHERE username= '"+userName+"'"