Tahnks all for your responses (so many) I am reading up on it now
--
Dave
----- Original Message -----
From: "Johan Lundqvist" <[EMAIL PROTECTED]>
To: <mysql@lists.mysql.com>
Sent: Wednesday, May 10, 2006 10:26 AM
Subject: Re: 1' and '1' or '1
Hi Dave,
1st: Never, never, never store passwords in plain text!! Just don't do it.
Store a hash of the password (ie md5 or something else).
2nd: Never pass any input from the Internet directly into a query without
first checking it for sql injection.
Take a look at Wikipedia article for a brief explanation and several links
to further info.
http://en.wikipedia.org/wiki/SQL_injection
/Johan
Critters wrote:
Hi
A user was able to log into my site using:
1' and '1' or '1
in the username and password box.
I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND
password = '1' and '1' or '1'
And it returned all rows. Can someone explain to me why this happens, and
if the steps I took (replacing the ' with a blank space when the user
submits the login form) is enough to prevent a similar "hack"
Appreciate any feedback.
--
Dave
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:
http://lists.mysql.com/[EMAIL PROTECTED]
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]