Should this SQL code be letting us log in with “username” and “password”?

Question

We are trying to debug some legacy code. We have found that we are able to log into the system by using the password "password" for all users. We can also log in with the username "username" and the password "password" as well as being able to log in with the username "username" and a password of one of the users in the system.

This makes us think that it may be a problem with the SQL query which may be matching the column "username" OR THE STRING "username" against the username field from the login form. (Same with the password).

However, we're not VB.net people unfortunately and this behaviour seems to be the same no matter what we do. Here is the original code:

SQLcommand.CommandText = "SELECT level FROM tblUsers WHERE username = """ & username & """ AND password = """ & password & """"
SQLreader = SQLcommand.ExecuteReader()

(we're not sure what all the """s are about)

So using what we know about programming and SQL we did this:

SQLcommand.CommandText = "SELECT level FROM tblUsers WHERE `username` = """ & username & """ AND `password` = """ & password & """"
SQLreader = SQLcommand.ExecuteReader()

Which had no effect, similarly:

SQLcommand.CommandText = "SELECT level FROM tblUsers WHERE tblUsers.username = """ & username & """ AND tblUsers.password = """ & password & """"
SQLreader = SQLcommand.ExecuteReader()

That had no effect either.

So the question is is this a problem with the SQL code? Or are we looking in the wrong place? I don't think we are looking in the wrong place. Although we're not VB.net people we're still pretty proficient at programming. Also outputting (tracing) SQLreader(0) returns 1 for the query with "username" and "password" as the username and password which would mean that it is matching something.

Any help would be great. Is there something we are overlooking?

Thanks

(Disclaimer: this code isn't used anywhere in a production environment. You can all relax now!)

Answer 1

If I'm reading this correctly, you've got a couple of problems here.

Assuming you're connecting to a Microsoft SQL Server here (since you're using the SQLCommand), you're putting double quotes around the username and password variables, thereby denoting that you're comparing the column username with the column (whatever is in the variable). Let's say Username has "john" and password has "1234" in it. Your sql statement looks like this:

SELECT level FROM tblUsers WHERE username = "john" and password = "1234"

Double Quotes mean that whatever text is in there is the name of a column, so SQL is looking for columns called john and 1234. You should use single quotes / apostrophes.

SELECT level FROM tblUsers WHERE username = 'john' and password = '1234'

If you're using the username "username" and the password "password", you're actually just selecting level from the user table where the username column = the username column, and the password column = the password column. (:

Anyway, besides all of that, pasting variables directly into your SQL query leaves your query open for SQL Injection, so it's better to use parameters.

SQLcommand.CommandText = "SELECT level FROM tblUsers WHERE username = @username AND password = @password"
SQLcommand.Parameters.AddWithValue("@username",username)
SQLcommand.Parameters.AddWithValue("@password",password)
SQLreader = SQLcommand.ExecuteReader()

Give that a shot.