Re: 1' and '1' or '1
I diagree on point 1. If you warn your members that their password is insecure, and if you e-mail out passwords anyway, there's no reason not to have a secure password. Many people I know use an insecure password for many things, from silly required free registration sites (go ahead, break into my Washington Post account) to other services not important to them. But do I really care if someone ganks my wikipedia password? If you're a bank, sure, encrypt. Or if you have important data. But it's not a hard and fast rule. In fact, I'd venture to say don't use hard and fast rules. THINK about your situation, and if it makes sense. Does using SSL make sense? Does using encryption make sense? -Sheeri On 5/10/06, Johan Lundqvist [EMAIL PROTECTED] wrote: Hi Dave, 1st: Never, never, never store passwords in plain text!! Just don't do it. Store a hash of the password (ie md5 or something else). 2nd: Never pass any input from the Internet directly into a query without first checking it for sql injection. Take a look at Wikipedia article for a brief explanation and several links to further info. http://en.wikipedia.org/wiki/SQL_injection /Johan Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
1' and '1' or '1
Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave
RE: 1' and '1' or '1
What page architecture are you using: PHP, ASP, .Net 1.1 or .Net 2.0 or are you using one of the standard CMS packages (Mambo, Plone, etc) ?? If you are using ASP.net 2.0 with MySQL (I am using this), I have managed to implement the Membership / Role providers in my site using MySQL as the provider. Using the login credentials you supplied, The site rejects it as you have to have explicit username and password (which is encrypted on creation in the DB) details to login. HTH, Dewald Troskie GIS Developer / Database Architect GIS Global Image (Pty) Ltd. Helping the world make informed decisions P.O Box 15 The Innovation Hub 0087 Cell: +27 (0)72 685 4246 Tel: +27 (0)12 844 0660 Fax: +27 (0)86 619 3958 Email: [EMAIL PROTECTED] Web: www.globalimage.co.za Web: www.mapme.co.za Blog: http://electronucleus.blogspot.com/ Registered Linux User No: 371874 Office L15 Enterprise Building The Innovation Hub - Hotel Street Lynnwood, Pretoria, 0087 The are 10 kinds of people, those who understand binary and those who don't -Original Message- From: Critters [mailto:[EMAIL PROTECTED] Sent: 10 May 2006 10:53 AM To: mysql@lists.mysql.com Subject: 1' and '1' or '1 Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Quoting Critters ([EMAIL PROTECTED]): SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack It's the logic in the WHERE statement that makes the query return all rows. You should /never ever/ directly feed user input from websites to your database. Always use prepare() and execute() statements to feed the userdata, or use the proper quote() calls... Or explicitly state what characters you will allow and filter anything but those characters from the user supplied data. Kind regards, Sander. -- | Someone who thinks logically provides a nice contrast to the real world. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
On Wednesday 10 May 2006 09:53, Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user SQL injection attack. 1) Quote all input from the real world. If you're using any of the PHP abstraction layers (or just the direct api), there's a quote function that can help. Other languages should have the same abilities. 2) The user has (correctly) assumed that your code uses select '$var' syntax. Fill in the blanks appropriately and you'll see how the injection works. 3) The and / or sequence takes advantage of mathematical precedence to force always true. Most SELECTs are essentially end up as a boolean evaluation (are all the conditions true or not), and using SELECT .. FROM .. WHERE '1' is a boolean true. The better handling for passwords btw, is to require plain-text from the user, but hash the password in the table and in the code. The injection attack gets hashed, and becomes useless. Mind you that's just -one- input field type, you can't hash everything. Your hack works, but you'd be better off reading up on SQL injection (you can do more than select all records - how's a dropped table strike you?), and looking at the availability of quoting capabilities in your language of choice. -- Duncan Hill - Developer Critical Software +44 (0)870 770 8190 Scanned by mailCritical. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Search the web for something called sql injection and do some reading. Martijn Tonies Database Workbench - development tool for MySQL, and more! Upscene Productions http://www.upscene.com My thoughts: http://blog.upscene.com/martijn/ Database development questions? Check the forum! http://www.databasedevelopmentforum.com Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
At 9:53 +0100 10/5/06, Critters wrote: A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Interesting - I found just the same on the site I'm developing and I'll put preventative measures in place straight away! It's obviously the OR that does it, because if I just use: 1' or '1 it works, but if I try: 1' and '1 it doesn't. As Sander Smeenk said, it's the logic in the where clause: if you just did: SELECT * FROM members WHERE '1' (or indeed: SELECT * FROM members WHERE 1) it would find all rows. This is in fact the default SQL that's rather irritatingly always there in phpMyAdmin's SQL text areas. All you're doing is ORing your other criteria with the '1', which effectively makes them irrelevant. In fact, taking this one stage further, you could log in with: anyloadofoldgibberish' or '1 Try it! -- Cheers... Chris Highway 57 Web Development -- http://highway57.co.uk/ Never trust a man who, when left alone in a room with a tea cosy, doesn't try it on. -- Billy Connolly -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Hi Dave, 1st: Never, never, never store passwords in plain text!! Just don't do it. Store a hash of the password (ie md5 or something else). 2nd: Never pass any input from the Internet directly into a query without first checking it for sql injection. Take a look at Wikipedia article for a brief explanation and several links to further info. http://en.wikipedia.org/wiki/SQL_injection /Johan Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Tahnks all for your responses (so many) I am reading up on it now -- Dave - Original Message - From: Johan Lundqvist [EMAIL PROTECTED] To: mysql@lists.mysql.com Sent: Wednesday, May 10, 2006 10:26 AM Subject: Re: 1' and '1' or '1 Hi Dave, 1st: Never, never, never store passwords in plain text!! Just don't do it. Store a hash of the password (ie md5 or something else). 2nd: Never pass any input from the Internet directly into a query without first checking it for sql injection. Take a look at Wikipedia article for a brief explanation and several links to further info. http://en.wikipedia.org/wiki/SQL_injection /Johan Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Meaning of 1:1, 1:1 generalization, 1:n, 1:n non identifying, n:m
weird... about 1:! generalization and 1:m non identifying... I think that these examples can make it better to understand some of those terms... I am quoting from Database Systems -- Design, Implementation Management fouth edition by Rob Coronel (page 23) Conceptual Modules use three types of relationships to descrive associates amond data: one-to-many, many-to-many, and one-to-one. Database designers usually use shorthand notations 1:M, M:N, and 1:1 for them, respectfully. The following examples illustrate the distinctions among the three. 1. *ONE-TO-MANY Relationships* A painter pains many diffrent paintings, but each one of hem is painted by only that painter. Thus the painter (the one) is related to the paintings (the many). Therefore, database designers lable the relationship PAINTER paints PAINTINGS as 1:M. Simillarly, a customer account (the one) might contain many invoices, but those invoices (the many) are related to only a singe customer account. The CUSTOMER generates INVOICE relationship would also be labled 1:M 2 *MANY-TO-MANY Relationship* An employee might learn many job skills, ans each job skill might be learned by many employees. Database designers label the relationship EMPLOYEE learns SKILL as M:N. Similarly, a student can take many courses, and each course can be taken by many students, thus yielding the M:N relationship label for the relationship for the relationship expressed by STUDENT takes COURSE 3 *ONE-TO-ONE Relationship* A retail company's management structure may require that eaco one of its stores be managed by a single employee. In turn, each store manager -- who is an employee -- only manages a single store. Therefore the relationship EMPLOYEE manages STORE is labled 1:1 Hope that this helps... as per the non identifying and the generalizations... DUNNO On Thu, 30 Sep 2004 13:14:03 -0400, Joshua Beall [EMAIL PROTECTED] wrote: Hi All, I've been taking a look at DB Designer 4, and looking through the documentation (http://www.fabforce.net/dbdesigner4/doc/index.html) I am a little unclear on some of their nomenclature: '1:1' - Ok, one to one. Got it. '1:1' generalization - Don't know this. Obviously different somehow from one to one, but how? '1:n' - One to many, I assume. '1:n non identifying' - Nonidentifying? What does this mean? 'n:m' - Many to many? Again, not sure. Can anyone help clarify? Thanks! -Josh -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Meaning of 1:1, 1:1 generalization, 1:n, 1:n non identifying, n:m
Hi All, I've been taking a look at DB Designer 4, and looking through the documentation (http://www.fabforce.net/dbdesigner4/doc/index.html) I am a little unclear on some of their nomenclature: '1:1' - Ok, one to one. Got it. '1:1' generalization - Don't know this. Obviously different somehow from one to one, but how? '1:n' - One to many, I assume. '1:n non identifying' - Nonidentifying? What does this mean? 'n:m' - Many to many? Again, not sure. Can anyone help clarify? Thanks! -Josh -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]