List:General Discussion« Previous MessageNext Message »
From:Duncan Hill Date:May 10 2006 9:06am
Subject:Re: 1' and '1' or '1
View as plain text  
On Wednesday 10 May 2006 09:53, Critters wrote:
> Hi
> A user was able to log into my site using:
> 1' and '1' or '1
> in the username and password box.
>
> I ran the query
>
> SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1'
> and '1' or '1'
>
> And it returned all rows. Can someone explain to me why this happens, and
> if the steps I took (replacing the ' with a blank space when the user

SQL injection attack.

1) Quote all input from the real world.  If you're using any of the PHP 
abstraction layers (or just the direct api), there's a quote function that 
can help.  Other languages should have the same abilities.

2) The user has (correctly) assumed that your code uses "select .... '$var'" 
syntax.  Fill in the blanks appropriately and you'll see how the injection 
works.

3) The and / or sequence takes advantage of mathematical precedence to force 
always true.  Most SELECTs are essentially end up as a boolean evaluation 
(are all the conditions true or not), and using SELECT .. FROM .. WHERE '1' 
is a boolean true.

The better handling for passwords btw, is to require plain-text from the user, 
but hash the password in the table and in the code.  The injection attack 
gets hashed, and becomes useless.  Mind you that's just -one- input field 
type, you can't hash everything.

Your hack works, but you'd be better off reading up on SQL injection (you can 
do more than select all records - how's a dropped table strike you?), and 
looking at the availability of quoting capabilities in your language of 
choice.
-- 
Duncan Hill - Developer
Critical Software
+44 (0)870 770 8190
----
Scanned by mailCritical.
Thread
1' and '1' or '1Critters10 May
  • Re: 1' and '1' or '1Sander Smeenk10 May
  • Re: 1' and '1' or '1Duncan Hill10 May
  • Re: 1' and '1' or '1Martijn Tonies10 May
  • Re: 1' and '1' or '1Chris Sansom10 May
  • Re: 1' and '1' or '1Johan Lundqvist10 May
    • Re: 1' and '1' or '1sheeri kritzer12 May
  • Re: 1' and '1' or '1Critters10 May
RE: 1' and '1' or '1Dewald Troskie10 May