... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

comp.databases.ms-sqlserver

Notorious Rube Goldberg contraption

19,505 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 19,146 of 19,505

Tony Johansson to All

Re: SQl -injection

29 Jan 15 11:03:22

   From: johansson.andersson@telia.com   
      
   Yes I can understant why it fetches alla the rows now.   
   Many thanks.   
      
   //Tony   
      
   "Lennart Jonsson"  skrev i meddelandet   
   news:maaotr$e36$1@dont-email.me...   
   > On 2015-01-28 12:45, Tony Johansson wrote:   
   >> In the form there is a text field for name   
   >>   
   >> This query is meant to be used like his   
   >> select Namn, Adress, Telefonnummer   
   >> from Abonnent   
   >> where Namn = 'Olle Karlsson'      //This name is fetched from the text   
   >> field name in the form   
   >> and hemligtNummer = false;   
   >>   
   >> If now the user enter some strange character in the text field in the   
   >> form like this   
   >> select Namn, Adress, Telefonnummer   
   >> from Abonnent   
   >> where Namn = 'Olle Karlsson' or 'a'='a' or 'a'='a'   
   >> and hemligtNummer = false;   
   >>   
   >> I don't understand how the second query can result that all rows will be   
   >> fetched   
   >>   
   >   
   > The where clause evaluates to   
   >   
   >     where Namn = 'Olle Karlsson'   
   >        or 'a'='a'   
   >        or ('a'='a' and hemligtNummer = false);   
   >   
   >   
   > /Lennart   
   >   
   >   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]