Quote:
Originally Posted by Dave
You think I'd never tried to SQL Inject LB on day 1?
Also this wouldn't work because you don't concatonate the username and password. You use quotation marks to break out of the username string and leave the password blank.
I think it'd go:-
Username: EtH" OR User_Id = 1
This would say something like SELECT * FROM Users WHERE Username = "EtH" OR User_Id = 1"
Off the top can't remember how you handle the password though.
|
SQL injections are ridiculously easy to prevent, was only a significant problem yearsss ago