The troubling point is that the SQL queries displayed indicated that the database is possibly storing passwords in a plain-text format, rather than an encrypted format. Part of the SQL query included the statement
where password = 'passwordhere'
When using PHP/MySQL, queries often use the MySQL password hashing algorithm by specifying it in the query itself:
SELECT * FROM tableName WHERE password = PASSWORD('password here');
Using this method ensures that the password is stored in an encoded fashion that is not easily reverse engineered.
Now, I suppose that it *is* possible that the developer of the site is using a hash within PHP to encode the password and storing the hash intead of the password text. This isn't generally the way it is done, however and I can't be sure from looking at a couple of queries whether or not they are, in fact, encrypted.
Everyone needs to make very sure they have not reused a password for SGW thinking that their password is encrypted and therefore secure. Even a password hash built from within the PHP framework could be easily replicated by a user with enough time and skill.
I think it would be nice if the administrator of the site would assure the users of SGW that their passwords are being hashed before they hit the database and/or that steps are underway to ensure that passwords are not stored plain-text.
On a positive note, I was pleased to see that simple SQL injection seems to have been addressed by the code and that SQL special characters are either being stripped or escaped before being passed into the query string.
FYI and thanks.
