List:General Discussion« Previous MessageNext Message »
From:Martijn Tonies Date:May 10 2006 9:11am
Subject:Re: 1' and '1' or '1
View as plain text  
Search the web for something called "sql injection" and do some reading.

Martijn Tonies
Database Workbench - development tool for MySQL, and more!
Upscene Productions
http://www.upscene.com
My thoughts:
http://blog.upscene.com/martijn/
Database development questions? Check the forum!
http://www.databasedevelopmentforum.com


Hi
A user was able to log into my site using:
1' and '1' or '1
in the username and password box.

I ran the query

SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and
'1' or '1'

And it returned all rows. Can someone explain to me why this happens, and if
the steps I took (replacing the ' with a blank space when the user submits
the login form) is enough to prevent a similar "hack"

Appreciate any feedback.
--
Dave

Thread
1' and '1' or '1Critters10 May
  • Re: 1' and '1' or '1Sander Smeenk10 May
  • Re: 1' and '1' or '1Duncan Hill10 May
  • Re: 1' and '1' or '1Martijn Tonies10 May
  • Re: 1' and '1' or '1Chris Sansom10 May
  • Re: 1' and '1' or '1Johan Lundqvist10 May
    • Re: 1' and '1' or '1sheeri kritzer12 May
  • Re: 1' and '1' or '1Critters10 May
RE: 1' and '1' or '1Dewald Troskie10 May