i was trying to inject some SQL to get a false login in one of my scripts. since i am no PRO in all this scripting i would like to consult some of you.
thanks in advance. thats my script:
username = request.QueryString("username")
password = MD5("kam" & request.QueryString("password"))
Set userinfo = Server.CreateObject("ADODB.Recordset")
userinfo.ActiveConnection = MM_KerenDB_STRING
userinfo.Source = "SELECT * FROM KAMUsers WHERE username = '" & username & "' AND password='" & password & "'"
userinfo.CursorType = 0
userinfo.CursorLocation = 2
userinfo.LockType = 1
if (NOT (userinfo.EOF AND userinfo.BOF)) then
session("userlevel") = userinfo.fields.item("ulevel").value
session("username") = userinfo.fields.item("username").value
session("userid") = userinfo.fields.item("ID").value
Set userinfo = Nothing
i am not sure if you understand the login method so i'll explain it. you enter a username and password. a username can be used only by one user. password is being md5ed with some string. than it looks for it in the users DB. since it will find only one or none record, if it finds one than its a user with a correct pass. else, oops, try again.