Using a MySQL Database to Validate Usernames and Passwords

A common mistake many developers make is using their MySQL database to validate a user name and password combination.

Here’s a typical SQL query checking for the existence of a user trying to login:

SELECT 1 FROM  WHERE USERNAME="" AND USERPASSWORD=""

If a record matches, the database returns that record and the process continues.

But in MySQL, the above query allows a person with knowledge of the just the USERNAME alone to gain access to the system without much difficulty.

For instance, suppose a user keys in the value for USERNAME as ##” and for PASSWORD, he keys in anything. Because MySQL interprets the character “##” as a comment, the query is terminated when the “##” character is found and there definitely will be a record matching just the username. The query thus returns a record and allows this user to login.

Here’s an effective query:

SELECT 1 FROM  WHERE USERNAME=""

Always be sure to check whether the username contatins a character like “##” and throw an appropriate error before even sending it to the database.

Share the Post:
Share on facebook
Share on twitter
Share on linkedin

Overview

Recent Articles: