Re: 1' and '1' or '1
I diagree on point 1. If you warn your members that their password is insecure, and if you e-mail out passwords anyway, there's no reason not to have a secure password. Many people I know use an insecure password for many things, from silly required free registration sites (go ahead, break into my Washington Post account) to other services not important to them. But do I really care if someone ganks my wikipedia password? If you're a bank, sure, encrypt. Or if you have important data. But it's not a hard and fast rule. In fact, I'd venture to say don't use hard and fast rules. THINK about your situation, and if it makes sense. Does using SSL make sense? Does using encryption make sense? -Sheeri On 5/10/06, Johan Lundqvist [EMAIL PROTECTED] wrote: Hi Dave, 1st: Never, never, never store passwords in plain text!! Just don't do it. Store a hash of the password (ie md5 or something else). 2nd: Never pass any input from the Internet directly into a query without first checking it for sql injection. Take a look at Wikipedia article for a brief explanation and several links to further info. http://en.wikipedia.org/wiki/SQL_injection /Johan Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: 1' and '1' or '1
What page architecture are you using: PHP, ASP, .Net 1.1 or .Net 2.0 or are you using one of the standard CMS packages (Mambo, Plone, etc) ?? If you are using ASP.net 2.0 with MySQL (I am using this), I have managed to implement the Membership / Role providers in my site using MySQL as the provider. Using the login credentials you supplied, The site rejects it as you have to have explicit username and password (which is encrypted on creation in the DB) details to login. HTH, Dewald Troskie GIS Developer / Database Architect GIS Global Image (Pty) Ltd. Helping the world make informed decisions P.O Box 15 The Innovation Hub 0087 Cell: +27 (0)72 685 4246 Tel: +27 (0)12 844 0660 Fax: +27 (0)86 619 3958 Email: [EMAIL PROTECTED] Web: www.globalimage.co.za Web: www.mapme.co.za Blog: http://electronucleus.blogspot.com/ Registered Linux User No: 371874 Office L15 Enterprise Building The Innovation Hub - Hotel Street Lynnwood, Pretoria, 0087 The are 10 kinds of people, those who understand binary and those who don't -Original Message- From: Critters [mailto:[EMAIL PROTECTED] Sent: 10 May 2006 10:53 AM To: mysql@lists.mysql.com Subject: 1' and '1' or '1 Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Quoting Critters ([EMAIL PROTECTED]): SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack It's the logic in the WHERE statement that makes the query return all rows. You should /never ever/ directly feed user input from websites to your database. Always use prepare() and execute() statements to feed the userdata, or use the proper quote() calls... Or explicitly state what characters you will allow and filter anything but those characters from the user supplied data. Kind regards, Sander. -- | Someone who thinks logically provides a nice contrast to the real world. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
On Wednesday 10 May 2006 09:53, Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user SQL injection attack. 1) Quote all input from the real world. If you're using any of the PHP abstraction layers (or just the direct api), there's a quote function that can help. Other languages should have the same abilities. 2) The user has (correctly) assumed that your code uses select '$var' syntax. Fill in the blanks appropriately and you'll see how the injection works. 3) The and / or sequence takes advantage of mathematical precedence to force always true. Most SELECTs are essentially end up as a boolean evaluation (are all the conditions true or not), and using SELECT .. FROM .. WHERE '1' is a boolean true. The better handling for passwords btw, is to require plain-text from the user, but hash the password in the table and in the code. The injection attack gets hashed, and becomes useless. Mind you that's just -one- input field type, you can't hash everything. Your hack works, but you'd be better off reading up on SQL injection (you can do more than select all records - how's a dropped table strike you?), and looking at the availability of quoting capabilities in your language of choice. -- Duncan Hill - Developer Critical Software +44 (0)870 770 8190 Scanned by mailCritical. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Search the web for something called sql injection and do some reading. Martijn Tonies Database Workbench - development tool for MySQL, and more! Upscene Productions http://www.upscene.com My thoughts: http://blog.upscene.com/martijn/ Database development questions? Check the forum! http://www.databasedevelopmentforum.com Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
At 9:53 +0100 10/5/06, Critters wrote: A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Interesting - I found just the same on the site I'm developing and I'll put preventative measures in place straight away! It's obviously the OR that does it, because if I just use: 1' or '1 it works, but if I try: 1' and '1 it doesn't. As Sander Smeenk said, it's the logic in the where clause: if you just did: SELECT * FROM members WHERE '1' (or indeed: SELECT * FROM members WHERE 1) it would find all rows. This is in fact the default SQL that's rather irritatingly always there in phpMyAdmin's SQL text areas. All you're doing is ORing your other criteria with the '1', which effectively makes them irrelevant. In fact, taking this one stage further, you could log in with: anyloadofoldgibberish' or '1 Try it! -- Cheers... Chris Highway 57 Web Development -- http://highway57.co.uk/ Never trust a man who, when left alone in a room with a tea cosy, doesn't try it on. -- Billy Connolly -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Hi Dave, 1st: Never, never, never store passwords in plain text!! Just don't do it. Store a hash of the password (ie md5 or something else). 2nd: Never pass any input from the Internet directly into a query without first checking it for sql injection. Take a look at Wikipedia article for a brief explanation and several links to further info. http://en.wikipedia.org/wiki/SQL_injection /Johan Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 1' and '1' or '1
Tahnks all for your responses (so many) I am reading up on it now -- Dave - Original Message - From: Johan Lundqvist [EMAIL PROTECTED] To: mysql@lists.mysql.com Sent: Wednesday, May 10, 2006 10:26 AM Subject: Re: 1' and '1' or '1 Hi Dave, 1st: Never, never, never store passwords in plain text!! Just don't do it. Store a hash of the password (ie md5 or something else). 2nd: Never pass any input from the Internet directly into a query without first checking it for sql injection. Take a look at Wikipedia article for a brief explanation and several links to further info. http://en.wikipedia.org/wiki/SQL_injection /Johan Critters wrote: Hi A user was able to log into my site using: 1' and '1' or '1 in the username and password box. I ran the query SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar hack Appreciate any feedback. -- Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]