| List: | General Discussion | « Previous MessageNext Message » | |
| From: | Critters | Date: | May 10 2006 8:53am |
| Subject: | 1' and '1' or '1 | ||
| View as plain text | |||
Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar "hack" Appreciate any feedback. -- Dave
| Thread | ||
|---|---|---|
| • 1' and '1' or '1 | Critters | 10 May |
| • Re: 1' and '1' or '1 | Sander Smeenk | 10 May |
| • Re: 1' and '1' or '1 | Duncan Hill | 10 May |
| • Re: 1' and '1' or '1 | Martijn Tonies | 10 May |
| • Re: 1' and '1' or '1 | Chris Sansom | 10 May |
| • Re: 1' and '1' or '1 | Johan Lundqvist | 10 May |
| • Re: 1' and '1' or '1 | sheeri kritzer | 12 May |
| • Re: 1' and '1' or '1 | Critters | 10 May |
| • RE: 1' and '1' or '1 | Dewald Troskie | 10 May |