Now if one can make a pretty good guess at what a developer might call the particular recordset returned, we could attempt to replace this y var with a escaped sequence that would just call the data again. Basically - y=x and then if x = y (login) else (logout)
Commonly, a lot of "web developers" stick user-supplied data into a SQL query. For example:
select * from documents where document_id = "$document_id"
The resulting SQL that gets executed is:
select * from documents where document_id = "whatever"; update usertable set password = "cracked" where username = "Joe Sysadmin"
Everything between the first quote and last quote is user-supplied.
If you use Perl DBI, use placeholders religiously and you can avoid such problems. In languages/shops where you aren't able to use placeholders you must remember to quote (or filter using a "default deny" approach) the arguments before passing them to SQL. And you must remember every single time.
It's a lot like the old problem of escaping shell metacharacters before calling system(). It's amazing how history repeats itself (or at least "rhymes" as Mark Twain once said).
[ Parent ]