Databases
StackOverflow2013
Postsdbo
POShould this SQL code be letting us log in with "username" and "password"?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POShould this SQL code be letting us log in with "username" and "password"?
    text
    copied!<p>We are trying to debug some legacy code. We have found that we are able to log into the system by using the password "password" for all users. We can also log in with the username "username" and the password "password" as well as being able to log in with the username "username" and a password of one of the users in the system.</p> <p>This makes us think that it may be a problem with the SQL query which may be matching the column "username" OR THE STRING "username" against the username field from the login form. (Same with the password).</p> <p>However, we're not VB.net people unfortunately and this behaviour seems to be the same no matter what we do. Here is the original code:</p> <pre><code>SQLcommand.CommandText = "SELECT level FROM tblUsers WHERE username = """ &amp; username &amp; """ AND password = """ &amp; password &amp; """" SQLreader = SQLcommand.ExecuteReader() </code></pre> <p>(we're not sure what all the <code>"""</code>s are about)</p> <p>So using what we know about programming and SQL we did this:</p> <pre><code>SQLcommand.CommandText = "SELECT level FROM tblUsers WHERE `username` = """ &amp; username &amp; """ AND `password` = """ &amp; password &amp; """" SQLreader = SQLcommand.ExecuteReader() </code></pre> <p>Which had no effect, similarly:</p> <pre><code>SQLcommand.CommandText = "SELECT level FROM tblUsers WHERE tblUsers.username = """ &amp; username &amp; """ AND tblUsers.password = """ &amp; password &amp; """" SQLreader = SQLcommand.ExecuteReader() </code></pre> <p>That had no effect either.</p> <p>So the question is is this a problem with the SQL code? Or are we looking in the wrong place? I don't think we are looking in the wrong place. Although we're not VB.net people we're still pretty proficient at programming. Also outputting (tracing) <code>SQLreader(0)</code> returns <code>1</code> for the query with "username" and "password" as the username and password which would mean that it is matching something.</p> <p>Any help would be great. Is there something we are overlooking?</p> <p>Thanks</p> <p>(Disclaimer: this code isn't used anywhere in a production environment. You can all relax now!)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload