home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.databases.ms-sqlserver      Notorious Rube Goldberg contraption      19,505 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 19,143 of 19,505   
   Tony Johansson to All   
   SQl -injection   
   28 Jan 15 12:45:13   
   
   From: johansson.andersson@telia.com   
      
   In the form there is a text field for name   
      
   This query is meant to be used like his   
   select Namn, Adress, Telefonnummer   
   from Abonnent   
   where Namn = 'Olle Karlsson'      //This name is fetched from the text field   
   name in the form   
   and hemligtNummer = false;   
      
   If now the user enter some strange character in the text field in the form   
   like this   
   select Namn, Adress, Telefonnummer   
   from Abonnent   
   where Namn = 'Olle Karlsson' or 'a'='a' or 'a'='a'   
   and hemligtNummer = false;   
      
   I don't understand how the second query can result that all rows will be   
   fetched   
      
   //tony   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca