Skip navigation.
Home

Why check one password when you can check them all...

DB Hoopla

Of all the WTF submissions I've gotten, this is one that I actually wanted to confirm. I didn't think anybody, no matter how beginner would pull something like this:

<?php
$query
= "SELECT * FROM passwords";
$mysql_result = mysql_query($query, $mysql_link);
while(
$row = mysql_fetch_array($mysql_result)) {
   if (
$row[0] == $passwd){
                 print(
"ok");
                 return
0;
   }
}
?>

Short and not so sweet. Thanks to Piotr Budny for sending this in. Somebody complained that his web sites wasn't working so Piotr dug into it and found today's WTF! Yikes!

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

great! Now I know why my webmail is sooooooooo slow when I login.


# let's figure out who we're talking to

my $term = new Term::ReadLine::Gnu;
my $termattribs = $term->Attribs;
$termattribs->{redisplay_function} = $termattribs->{shadow_redisplay};
my $pass = $term->readline("mail password (echos stars): ");
$term->remove_history($term->where_history);

my $sth = $dbh->prepare("SELECT user FROM passwd WHERE clear = ?");
$sth->execute($pass) || die $dbh->errstr;;
if ($sth->rows == 1)
{
$h = $sth->fetchrow_hashref;
$user = $h->{user};
}
else
{
die "Incorrect password\n";
}

That is to say -- here's another example of this sort of thing. In the above code, the user enters their password, and the system figures out who they are based on who has that password.

Of course, if two people set the same password, both of them get locked out.

I knew it was going to be bad from the first line:

Oh yes, and why encrypt passwords at all? MySQL has a built-in MD5 function, you know. :)

imagine if ebay used that kin

imagine if ebay used that kind of code.

Post new comment




*

  • Web and e-mail addresses are automatically converted into links.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre> <p> <br /> <br>