Quoting Critters ([EMAIL PROTECTED]): > SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and > '1' or '1' > And it returned all rows. Can someone explain to me why this happens, > and if the steps I took (replacing the ' with a blank space when the > user submits the login form) is enough to prevent a similar "hack"
It's the logic in the WHERE statement that makes the query return all rows. You should /never ever/ directly feed user input from websites to your database. Always use prepare() and execute() statements to feed the userdata, or use the proper quote() calls... Or explicitly state what characters you will allow and filter anything but those characters from the user supplied data. Kind regards, Sander. -- | Someone who thinks logically provides a nice contrast to the real world. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
