At 9:53 +0100 10/5/06, Critters wrote:
>A user was able to log into my site using:
>1' and '1' or '1
>in the username and password box.
>I ran the query
>SELECT * FROM members WHERE name = '1' and '1' or '1' AND password =
>'1' and '1' or '1'
>And it returned all rows.
Interesting - I found just the same on the site I'm developing and
I'll put preventative measures in place straight away! It's obviously
the OR that does it, because if I just use:
1' or '1
it works, but if I try:
1' and '1
As Sander Smeenk said, it's the logic in the where clause: if you just did:
SELECT * FROM members WHERE '1'
(or indeed: SELECT * FROM members WHERE 1)
it would find all rows. This is in fact the default SQL that's rather
irritatingly always there in phpMyAdmin's SQL text areas. All you're
doing is ORing your other criteria with the '1', which effectively
makes them irrelevant.
In fact, taking this one stage further, you could log in with:
anyloadofoldgibberish' or '1
Highway 57 Web Development -- http://highway57.co.uk/
Never trust a man who, when left alone in a room
with a tea cosy, doesn't try it on.
-- Billy Connolly