List:General Discussion« Previous MessageNext Message »
From:Critters Date:May 10 2006 8:53am
Subject:1' and '1' or '1
View as plain text  
Hi
A user was able to log into my site using:
1' and '1' or '1
in the username and password box.

I ran the query 

SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1'

And it returned all rows. Can someone explain to me why this happens, and if the steps I
took (replacing the ' with a blank space when the user submits the login form) is enough
to prevent a similar "hack"

Appreciate any feedback.
--
Dave
Thread
1' and '1' or '1Critters10 May
  • Re: 1' and '1' or '1Sander Smeenk10 May
  • Re: 1' and '1' or '1Duncan Hill10 May
  • Re: 1' and '1' or '1Martijn Tonies10 May
  • Re: 1' and '1' or '1Chris Sansom10 May
  • Re: 1' and '1' or '1Johan Lundqvist10 May
    • Re: 1' and '1' or '1sheeri kritzer12 May
  • Re: 1' and '1' or '1Critters10 May
RE: 1' and '1' or '1Dewald Troskie10 May