On Wednesday 10 May 2006 09:53, Critters wrote:
> A user was able to log into my site using:
> 1' and '1' or '1
> in the username and password box.
> I ran the query
> SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1'
> and '1' or '1'
> And it returned all rows. Can someone explain to me why this happens, and
> if the steps I took (replacing the ' with a blank space when the user
SQL injection attack.
1) Quote all input from the real world. If you're using any of the PHP
abstraction layers (or just the direct api), there's a quote function that
can help. Other languages should have the same abilities.
2) The user has (correctly) assumed that your code uses "select .... '$var'"
syntax. Fill in the blanks appropriately and you'll see how the injection
3) The and / or sequence takes advantage of mathematical precedence to force
always true. Most SELECTs are essentially end up as a boolean evaluation
(are all the conditions true or not), and using SELECT .. FROM .. WHERE '1'
is a boolean true.
The better handling for passwords btw, is to require plain-text from the user,
but hash the password in the table and in the code. The injection attack
gets hashed, and becomes useless. Mind you that's just -one- input field
type, you can't hash everything.
Your hack works, but you'd be better off reading up on SQL injection (you can
do more than select all records - how's a dropped table strike you?), and
looking at the availability of quoting capabilities in your language of
Duncan Hill - Developer
+44 (0)870 770 8190
Scanned by mailCritical.