Quote:
Originally Posted by Mutt
i don't understand how a blank username/password combo are letting people in some of those sites' members areas. anybody have an idea why that happens?
|
This happens when you have a really dumb MySQL clause like:
select count(*) from users where username='$username' and password='$password';
Then the pseudocode for the login/admin:
.. if (count(result) > 0) ...
If absolutely nothing/empty is passed, there's often an 'empty' account in there from testing or otherwise, and when it returns a valid result, they get access.