What page architecture are you using: PHP, ASP, .Net 1.1 or .Net 2.0 or are you using one of the standard CMS packages (Mambo, Plone, etc) ??
If you are using ASP.net 2.0 with MySQL (I am using this), I have managed to implement the Membership / Role providers in my site using MySQL as the provider. Using the login credentials you supplied, The site rejects it as you have to have explicit username and password (which is encrypted on creation in the DB) details to login. HTH, Dewald Troskie GIS Developer / Database Architect GIS Global Image (Pty) Ltd. Helping the world make informed decisions P.O Box 15 The Innovation Hub 0087 Cell: +27 (0)72 685 4246 Tel: +27 (0)12 844 0660 Fax: +27 (0)86 619 3958 Email: [EMAIL PROTECTED] Web: www.globalimage.co.za Web: www.mapme.co.za Blog: http://electronucleus.blogspot.com/ Registered Linux User No: 371874 Office L15 Enterprise Building The Innovation Hub - Hotel Street Lynnwood, Pretoria, 0087 "The are 10 kinds of people, those who understand binary and those who don't" -----Original Message----- From: Critters [mailto:[EMAIL PROTECTED] Sent: 10 May 2006 10:53 AM To: mysql@lists.mysql.com Subject: 1' and '1' or '1 Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar "hack" Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]