BugTraq
Name:
Email:
*Note: Email address will appear as "user domain ext" to prevent harvesting.
Subject:
Message:
 
Y.A.N.S sql injection Nov 08 2006 12:59PM
navairum gmail com
Product: YANS (yet another news system)
Link: http://sourceforge.net/projects/yans/

vuln code:
$resultado = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'") or die (mysql_error());

simple sql injection
' or '1=1
' or '1=1

-navairum
...

[ more ]  
 

Privacy Statement
Copyright 2010, SecurityFocus