List:General Discussion« Previous MessageNext Message »
From:Sander Smeenk Date:May 10 2006 9:03am
Subject:Re: 1' and '1' or '1
View as plain text  
Quoting Critters (critters@stripped):

> SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or
> '1'
> And it returned all rows. Can someone explain to me why this happens,
> and if the steps I took (replacing the ' with a blank space when the
> user submits the login form) is enough to prevent a similar "hack"

It's the logic in the WHERE statement that makes the query return all rows.

You should /never ever/ directly feed user input from websites to your
database. Always use prepare() and execute() statements to feed the
userdata, or use the proper quote() calls...

Or explicitly state what characters you will allow and filter anything
but those characters from the user supplied data.

Kind regards,
| Someone who thinks logically provides a nice contrast to the real world.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8  9BDB D463 7E41 08CE C94D
1' and '1' or '1Critters10 May
  • Re: 1' and '1' or '1Sander Smeenk10 May
  • Re: 1' and '1' or '1Duncan Hill10 May
  • Re: 1' and '1' or '1Martijn Tonies10 May
  • Re: 1' and '1' or '1Chris Sansom10 May
  • Re: 1' and '1' or '1Johan Lundqvist10 May
    • Re: 1' and '1' or '1sheeri kritzer12 May
  • Re: 1' and '1' or '1Critters10 May
RE: 1' and '1' or '1Dewald Troskie10 May