ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel
  • »
  • Technology»
  • Internet & the Web

How hackers hack your web login page and how to stop it.

Updated on January 3, 2012

Ground rules.

It's not legal to subvert other people's on-line accounts. The reason I am writing this is to inform you of one way how malicious crackers could get into your account. If you are a web designer or have employed someone to design your web site, then read this, do the quick test for vulnerability, then fix the hole. Do not attempt to crack other people's sites. My goal here is to educate the good people. The naughty ones already know this stuff. (Yes - you know who you are...)

The test...

The test is simple.

At your login/password entry, just put in a single quote mark and submit. If the web page returns an error because of broken source-code, then your site is probably vulnerable.

Note: More than 16 million Web severs use PHP.

Now I will explain why this could happen.

Why might this test work?

Quite often, the user name and password field are HTML forms, and behind that, either in the rendered web page or hidden on the server that you connected to, there will be some code. It might be PHP or JAVASCRIPT or similar.

Some languages use single quote marks as delimiters for parameters. A delimiter is like a punctuation mark for code. It separates terms and tokens and words etc. Many delimiters are unary which means that only one is required. Here is an example using a comma as a delimiter:


But quote-marks come in pairs. The first from the left turns a mode ON, and the next one turns it OFF.

Example using single quote marks;

123 456 'fred is tall' 789 'bill' 'ted 99'

If you count the ticks, there are always an even number. The tick marks "toggle" a mode. In the example above, the unary delimiter is a space. The space separates numbers and it's fine to do that because a space is not a number. But you can have spaces in strings like "fred is tall" and "ted 99". The quotes toggle between 'number mode' and 'string mode'

Your log-in code that checks the user name consists of code and parameters. This code could use quotes to toggle between code-execution mode and parameter mode like this:

if ( '$fredpassword' == '$password' ) then allow_access

The stuff that is not quoted is code and the stuff inside the quotes is data.

Here is the code only, each chunk on its own line for clarity:

if (
) then allow_access

and here are the parameters:


The stuff between parentheses is called an expression. This is a mathematical statement. In this case, it's a test for equality. All it is doing is testing whether the password typed in is the same as fred's password.

The web-login form allows the user to enter ANY characters into $password. This is not the best idea because we can enter a character that is used to toggle code-mode. This scrambles the logic (syntax) and the interpreter throws an unexpected error which is usually spat onto the web page.

Here is an example of what the code might be interpreted as if you use a single quote as a password... (Let's assume fred's password is 'badcodeday'

if ( 'badcodeday' == ''' ) then allow_access

Note that there are now an ODD number of quote marks.

Now if we "parse" this into code and parameters, look what happens:

code: if ( 

That's all the code there is now. So let's look at the parameters:

 ) then allow_access

This is clearly nonsense and it is why the interpreter throws an error.

So what if it throws an error?

Since we can type ANY characters in as a proposed password, we can also type code fragments. By being crafty, we can add code that maintains valid syntax and makes the expression evaluate to TRUE. If we can do that, then the modified code lets us in without knowing the password.

Some boolean logic:

A statement is something that can be evaluated to TRUE or FALSE. eg:

  1. All birds have have four wings. (FALSE)
  2. 0=0 (TRUE)

Now, even though 1. is false, we can combine these and maintain an OVERALL statement of TRUE.

(All birds have four wings) OR (0=0)

This is now a true statement because 0=0. When the interpreter evaluates a statement like this, it is following the Boolean logic truth table for an OR expression. It looks like this:

0 0 0
0 1 1
1 0 1
1 1 1

'Q' is the TRUE/FALSE result where 1 represents TRUE. A and B are the results of two evaluated sub-statements. Every case is covered, and you can see that Q becomes 1 when either (or both) A OR B are 1. i.e. you only need to find ONE true statement in a string of OR joined statements to immediately decide the truth of the whole statement.

Knowing this, all we need to do is craft a new syntax and expression by manipulating what is in the password parameter.

The hack

Here is the intended code

if ( '$fredpassword' == '$password' ) then allow_access

Let's ignore the content of fredpassword as we don't know it anyway, and craft a new statement that makes it irrelevant.

Type into the password field the following:

' OR '1

This makes the code look like this:

if ( '$fredpassword' == '' OR '1' ) then allow_access

This says, "If $fredpassword equals '' 

(Which read, If fredspassword is nothing... This is FALSE but we don't care.)


if 1

then allow access.

Well of course the expression '1' evaluates to true! That's what 1 means. 

We could also use a sub expression like this

if ( '$fredpassword' == '' OR '0==0' ) then allow_access

It's basically the same idea. zero equals zero which is a true statement.

Or we could try:

if ( '$fredpassword' == '' OR '1>0' ) then allow_access

At least now we don't need to guess that equality is tested using the double = symbol. Most languages try to distinguish between a test for equality as == and an assignment = as in


where the value 4 is 'assigned' to the variable b. In contrast, 


is a test to see whether b has the same value as 4.


Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

Ok brainiac, how do I fix it?

There are a few ways.

You can install the Suhosin patch for PHP. This will harden against buffer overflows and sloppy programming.

One (outdated) way that might work is to make every character "literal". In unix, linux, perl, PHP, Python any many other languages, to embed a quote mark in a string, or any other special delimiter, you can make it literal by prepending a backslash.

Non-special characters that are "escaped" in this way are still interpreted normally.

Therefore, these two strings are equivalent:

fred == \f\r\e\d

And you would embed a quote mark inside a string like this:

'This \' is a quote mark'

When the parser sees the back slash it does not switch mode no matter what the next character is. The next character is taken as a literal.

Therefore, if you use a function to insert these back-slashes into the entered password field, the interpreter will not get broken by the single quote mark, and the hack is not applicable.

There is something called 'magic quotes' and is supplied by a function called stripslashes(). However, this "solution" is deprecated because of performance problems and incompatibility. It escapes EVERY character. In reality, you only need to escape the quotes.

Instead, you should call


The following characters are affected:


Alternatively and preferably as well, you can apply input-validation on every character typed into the web page.

As a character is entered, it is accepted or rejected depending on your rules. An input field for a date for example could use a mask like this:

dd/mm/yyyy , dd:{checkday()} , mm:{checkmonth} , yyyy:{checkyear}

This is a set of rules for data entry. dd is DAY of month, but since this varies month by month, we check it with a function called checkday and checkmonth. Only digits can be typed. i.e hitting the key H does nothing, neither does & or * or '

In this way, the input is guaranteed to be in good form BEFORE it gets used. You can use this technique on all input fields to define the input data to within expected and previously tested ranges. It's a safe way to program in general.


    0 of 8192 characters used
    Post Comment

    • profile image

      Rivera55 19 months ago

      Good days! Very interesting, though good part escapes to my scanty knowledge of HTML.

      Still I have the Dreamwaver CS6 and have in stop sign the project to learn more. But I had a blog in 2010 that was attacked by a hacker, Bin Ladem's photo appeared on the screen of my computer with black background and a music of the Arabic style but as sinister in the harmonic sense and sincerely, I was a bit scared.

      I had to write urgently to the webmaster to ask for help. Arabic experts had to search in computer science because they changed the language of the whole system of codes. I was without blog almost one week, but finally it had solution. It was the first and only time that I suffered the assault of a hacker, up to this moment, and it is something too disagreeable.

      Thank you for the advices. It is evident that your knowledge is high.


    • villete profile image

      Vicky 2 years ago

      Although this is an old hub but, it is still helpful.

    • JY3502 profile image

      John Young 5 years ago from Florence, South Carolina

      uh...what did he say?

    • JY3502 profile image

      John Young 5 years ago from Florence, South Carolina

      uh...what did he say?

    • Onlinestrategies profile image

      Onlinestrategies 5 years ago

      Many websites are vulnerable to SQL Injection. Hardening your site against SQL injection requires good knowledge about what makes hacking possible in a website. This is a good overview exposing the methods used by hackers.

    • Blue Jhon profile image

      Blue Jhon 6 years ago from Kakrail, Dhaka, Bangladesh

      if the admin page is open against only for some ip then hacking can reduced.

    • Manna in the wild profile image

      Manna in the wild 6 years ago from Australia

      Unfortunately SQL injection is still very common. You might be thinking of XSS which is harder to defend against.

    • profile image

      Deep 6 years ago

      This WAS one of the peculiar way to hack the login information, the other known was the cgi-bin hack, BUT, now-a-days login information are mostly passed through SSL certificates so we are least worried of the these hacks.

    • profile image

      rorshak sobchak 7 years ago

      Really impressive write up. Keep up the great work!

      rorshak sobchak

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

      Thank you for reading this SJKSJK (cool user name btw!)

      Cheers Gary.

    • Gary Shorthouse profile image

      Gary Shorthouse 7 years ago from Reading, UK

      I always knew about this in general terms, but now I understand the detail. You have a very clear and easily understood way of explaining your concepts.

    • SJKSJK profile image

      SJKSJK 7 years ago from delray beach, florida

      Thanks for the information. I have been hacked and don't want it to happen again.

    • Lady_E profile image

      Elena 7 years ago from London, UK

      Thanks so much. I am Bookmarking this to study closely.

    • Jane Bovary profile image

      Jane Bovary 7 years ago from The Fatal Shore

      Wow fascinating...and useful. Manna, reading one your hubs is like trying to work out an extremely difficult puzzle.I'm sure it's good for my brain...:)

    • profile image

      Exmoor 7 years ago

      Yikes. And I THOUGHT I was computer literate.

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

      I added a reference to the PHP hardening patch/extension called Suhosin.

    • SJKSJK profile image

      SJKSJK 7 years ago from delray beach, florida

      Thanks for the tips.

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

      Hi f_hruz,

      You wrote

      "Thanks for taking a crack at my question!

      Since there was nothing wrong with either the user name nore the password ... and it worked ok a little while later without a reset, it may just have been a bit slow to create the entries in the flat file db to let me in - it's not using MySQL"

      That's interesting.

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

      Thanks f_hruz

      By far the most likely is you got the password or user id wrong. Leaving CAPS-LOCK on is common. You will need to request a password-reset.

    • f_hruz profile image

      f_hruz 7 years ago from Toronto, Ontario, Canada

      Great info, and what can you do to find out why a new account you just created with the used ID and password you just had confirmed ... refuses to let you in? :)

    • RealHousewife profile image

      Kelly Umphenour 7 years ago from St. Louis, MO

      Thank you so much! I'm going to check that out.

      I'm also chuckling about testing the computer guy with this! I wonder if he can keep up? Haha!

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

      There are tools to help. Like the scanning tool supplied here:

    • RealHousewife profile image

      Kelly Umphenour 7 years ago from St. Louis, MO

      Very cool! I was only kidding @Pcunix:). I was pretending to be smart! Lol

      I still think it's interesting and if I hadn't read this I sure wouldn't have known to ask the guy who takes care of my network issues to check, so thanks! I'm already wondering how quick he can get over here:)

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

      Austinstar: Potentially. You are at the mercy of the security team at hubpages. This link: give you an incomplete list of high profile sites vulerable to XSS (Cross Site Scripting -- which is a special case of the code-injection example that I gave.) Note that google and yahoo have even been vulnerable but fixed the problem. I don't see hubpages on that list. It's a worry how many have apparently not fixed the vulnerability.

      Pcunix: Right on!

      RealHousewife: It's good too see consensus.

      Having awareness is more important than a deep understanding. At least if you are aware you can alert your programmers. About 80% of web-hacks involve some form of XSS.

    • RealHousewife profile image

      Kelly Umphenour 7 years ago from St. Louis, MO

      Yeah, that's what I was talking about Pcunix:) !

    • Pcunix profile image

      Tony Lawrence 7 years ago from SE MA

      I scrub all input and also limit its length to no more than what is appropriate for the task. Perl's "taint" mode can be helpful too (I do everything I can in Perl rather than PHP because PHP has had such a horrid security history).

    • Austinstar profile image

      Lela 7 years ago from Somewhere in the universe

      Can the hackers break into HubPages or FaceBook in this same way? Or do they use some other method. How do we protect our HP and FB accounts?

      I'm going to get right on my domain account since it has been used extensively as a robot for spam.

    • RealHousewife profile image

      Kelly Umphenour 7 years ago from St. Louis, MO

      Really interesting! Most of it is way over my head - I do sort of understand but ugh that is why I have someone like you come over and bullet proof my computers. I always wanted to be a hacker Manna, now I see why that will never happen:( lol! My friend would love to read this though - often he tries to explain this stuff to me, and I get lost in translation:)

      I am going to make sure I figure out, with my computer guys help of course, how to protect my accounts! Thanks so much. I just had a friend who had her email account hacked - it is still an ongoing nightmare.

    • Manna in the wild profile image

      Manna in the wild 7 years ago from Australia

      Hi diogens & Jeff.

      For those who have done any programming -- even a little, this should make sense. Many at this level are not aware of how a hacker/cracker thinks. But once you get into the groove, you can make more secure code.

      For non-programmers: If you have a web site, then you can try your own site and enter a single quote mark for user name, password or both. Try all kinds of odd characters and see if any combination breaks the web page code. If so, you don't need to understand what's going on exactly -- just notify your webmaster and get it fixed.

    • Jeff May profile image

      Jeffrey Penn May 7 years ago from St. Louis

      Okay, I understood about half of that and was feeling fantastically intelligent, then realized my understanding was limited to only phrases but not to the whole, thus understanding nothing. But if I combine my nothing to my half will I be able to hack?

      I will try the "" suggestion, assuming I understand what I'm doing.

    • diogenes profile image

      diogenes 7 years ago from UK and Mexico

      Any article written in English that completely baffles me leaves me in awe. I hope other hubbers are more computer literate and understand this advice...Bob


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: ""

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)