Skip navigation.
Home
The PHP WTF
Home

Why check one password when you can check them all...

Submitted by phrax on Fri, 2004-10-29 15:14. DB Hoopla

Of all the WTF submissions I've gotten, this is one that I actually wanted to confirm. I didn't think anybody, no matter how beginner would pull something like this:

<?php
$query = "SELECT * FROM passwords";
$mysql_result = mysql_query($query, $mysql_link);
while($row = mysql_fetch_array($mysql_result)) {
   if ($row[0] == $passwd){
                 print("ok");
                 return 0;
   }
}
?>

Short and not so sweet. Thanks to Piotr Budny for sending this in. Somebody complained that his web sites wasn't working so Piotr dug into it and found today's WTF! Yikes!

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Submitted by kNo' (not verified) on Fri, 2004-10-29 14:28.
great! Now I know why my webmail is sooooooooo slow when I login.
» reply

Submitted by Daniel Drucker (not verified) on Fri, 2004-10-29 15:29.

# let's figure out who we're talking to

my $term = new Term::ReadLine::Gnu;
my $termattribs = $term->Attribs;
$termattribs->{redisplay_function} = $termattribs->{shadow_redisplay};
my $pass = $term->readline("mail password (echos stars): ");
$term->remove_history($term->where_history);

my $sth = $dbh->prepare("SELECT user FROM passwd WHERE clear = ?");
$sth->execute($pass) || die $dbh->errstr;;
if ($sth->rows == 1)
{
$h = $sth->fetchrow_hashref;
$user = $h->{user};
}
else
{
die "Incorrect password\n";
}

» reply

Submitted by Daniel Drucker (not verified) on Fri, 2004-10-29 15:30.
That is to say -- here's another example of this sort of thing. In the above code, the user enters their password, and the system figures out who they are based on who has that password.

Of course, if two people set the same password, both of them get locked out.
» reply

Submitted by Andrew (not verified) on Mon, 2004-11-01 05:13.
I knew it was going to be bad from the first line:
» reply

Submitted by eth0 (not verified) on Tue, 2004-11-02 01:35.
Oh yes, and why encrypt passwords at all? MySQL has a built-in MD5 function, you know. :)
» reply

imagine if ebay used that kin

Submitted by Wilfried (not verified) on Tue, 2004-12-07 20:35.
imagine if ebay used that kind of code.
» reply

Post new comment




*

  • Web and e-mail addresses are automatically converted into links.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre> <p> <br /> <br>
More information about formatting options