Quoting Critters (critters@stripped):
> SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or
> And it returned all rows. Can someone explain to me why this happens,
> and if the steps I took (replacing the ' with a blank space when the
> user submits the login form) is enough to prevent a similar "hack"
It's the logic in the WHERE statement that makes the query return all rows.
You should /never ever/ directly feed user input from websites to your
database. Always use prepare() and execute() statements to feed the
userdata, or use the proper quote() calls...
Or explicitly state what characters you will allow and filter anything
but those characters from the user supplied data.
| Someone who thinks logically provides a nice contrast to the real world.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D