List:General Discussion« Previous MessageNext Message »
From:Chris Sansom Date:May 10 2006 9:25am
Subject:Re: 1' and '1' or '1
View as plain text  
At 9:53 +0100 10/5/06, Critters wrote:
>A user was able to log into my site using:
>1' and '1' or '1
>in the username and password box.
>
>I ran the query
>
>SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = 
>'1' and '1' or '1'
>
>And it returned all rows.

Interesting - I found just the same on the site I'm developing and 
I'll put preventative measures in place straight away! It's obviously 
the OR that does it, because if I just use:
	1' or '1
it works, but if I try:
	1' and '1
it doesn't.

As Sander Smeenk said, it's the logic in the where clause: if you just did:
SELECT * FROM members WHERE '1'
(or indeed: SELECT * FROM members WHERE 1)
it would find all rows. This is in fact the default SQL that's rather 
irritatingly always there in phpMyAdmin's SQL text areas. All you're 
doing is ORing your other criteria with the '1', which effectively 
makes them irrelevant.

In fact, taking this one stage further, you could log in with:
anyloadofoldgibberish' or '1

Try it!

-- 
Cheers... Chris
Highway 57 Web Development -- http://highway57.co.uk/

Never trust a man who, when left alone in a room
with a tea cosy, doesn't try it on.
    -- Billy Connolly
Thread
1' and '1' or '1Critters10 May
  • Re: 1' and '1' or '1Sander Smeenk10 May
  • Re: 1' and '1' or '1Duncan Hill10 May
  • Re: 1' and '1' or '1Martijn Tonies10 May
  • Re: 1' and '1' or '1Chris Sansom10 May
  • Re: 1' and '1' or '1Johan Lundqvist10 May
    • Re: 1' and '1' or '1sheeri kritzer12 May
  • Re: 1' and '1' or '1Critters10 May
RE: 1' and '1' or '1Dewald Troskie10 May