On Wednesday 10 May 2006 09:53, Critters wrote: > Hi > A user was able to log into my site using: > 1' and '1' or '1 > in the username and password box. > > I ran the query > > SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' > and '1' or '1' > > And it returned all rows. Can someone explain to me why this happens, and > if the steps I took (replacing the ' with a blank space when the user
SQL injection attack. 1) Quote all input from the real world. If you're using any of the PHP abstraction layers (or just the direct api), there's a quote function that can help. Other languages should have the same abilities. 2) The user has (correctly) assumed that your code uses "select .... '$var'" syntax. Fill in the blanks appropriately and you'll see how the injection works. 3) The and / or sequence takes advantage of mathematical precedence to force always true. Most SELECTs are essentially end up as a boolean evaluation (are all the conditions true or not), and using SELECT .. FROM .. WHERE '1' is a boolean true. The better handling for passwords btw, is to require plain-text from the user, but hash the password in the table and in the code. The injection attack gets hashed, and becomes useless. Mind you that's just -one- input field type, you can't hash everything. Your hack works, but you'd be better off reading up on SQL injection (you can do more than select all records - how's a dropped table strike you?), and looking at the availability of quoting capabilities in your language of choice. -- Duncan Hill - Developer Critical Software +44 (0)870 770 8190 ---- Scanned by mailCritical. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
