Hi,<br><br>lately I have seen quite a few scripts with the following login procedure:<br><br>-------------------------------------------------------------------<br> $login_rs = mysql_query(\"SELECT id, pass FROM user WHERE login='$news_user'\");<br> if(mysql_num_rows($login_rs) > 0){<br> $login_array = mysql_fetch_array($login_rs);<br> if($login_array[\"pass\"] == $news_pass){<br> ...<br> } else { $login_err=TRUE; }<br> } else { $login_err=TRUE; }<br>-------------------------------------------------------------------<br><br>I can't think of a way to use this for a successful sql-injection (getting the admin's id and pass).<br>The output is always the same unless I really enter the correct pass (at least I do not have to guess the user).<br><br>Nevertheless often there is the option given to retrieve the pass via email.<br>-------------------------------------------------------------------<br> $email_rs = mysql_query(\"SELECT * FROM user WHERE email='$email'\");<br> $email_array = mysql_fetch_array($email_rs);<br><br> if(mysql_num_rows($email_rs)>0){<br> ...<br> $msg = (\"The password has been sent.\");<br> } else {<br> $msg = (\"Unknown email address!\");<br> }<br>-------------------------------------------------------------------<br>I can use this code for intelligent password guessing because I do get two different ouputs depending on success or failure.<br><br>Example: a' or length(pass)<10/*<br>This should give me the output \"The password has been sent.\" if the pass is no longer than 9 chars.<br>The problem is that every time I am successful with my guessing the script tries to send an email.<br><br>Any ideas how to use those two code snippets to retrieve the admin's data without causing a huge sensation?<br><br>tbs<br><br>Example: Scarnews v1.2.1