List:General Discussion« Previous MessageNext Message »
From:Critters Date:May 10 2006 9:32am
Subject:Re: 1' and '1' or '1
View as plain text  
Tahnks all for your responses (so many) I am reading up on it now
--
Dave

----- Original Message ----- 
From: "Johan Lundqvist" <johan@stripped>
To: <mysql@stripped>
Sent: Wednesday, May 10, 2006 10:26 AM
Subject: Re: 1' and '1' or '1


> Hi Dave,
>
> 1st: Never, never, never store passwords in plain text!! Just don't do it. 
> Store a hash of the password (ie md5 or something else).
>
> 2nd: Never pass any input from the Internet directly into a query without 
> first checking it for sql injection.
>
> Take a look at Wikipedia article for a brief explanation and several links 
> to further info.
> http://en.wikipedia.org/wiki/SQL_injection
>
> /Johan
>
>
> Critters wrote:
>> Hi
>> A user was able to log into my site using:
>> 1' and '1' or '1
>> in the username and password box.
>>
>> I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND 
>> password = '1' and '1' or '1'
>>
>> And it returned all rows. Can someone explain to me why this happens, and 
>> if the steps I took (replacing the ' with a blank space when the user 
>> submits the login form) is enough to prevent a similar "hack"
>>
>> Appreciate any feedback.
>> --
>> Dave
>
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: 
> http://lists.mysql.com/mysql?unsub=1
> 

Thread
1' and '1' or '1Critters10 May
  • Re: 1' and '1' or '1Sander Smeenk10 May
  • Re: 1' and '1' or '1Duncan Hill10 May
  • Re: 1' and '1' or '1Martijn Tonies10 May
  • Re: 1' and '1' or '1Chris Sansom10 May
  • Re: 1' and '1' or '1Johan Lundqvist10 May
    • Re: 1' and '1' or '1sheeri kritzer12 May
  • Re: 1' and '1' or '1Critters10 May
RE: 1' and '1' or '1Dewald Troskie10 May