Why does SELECT * FROM users WHERE password='a'='mm'; actually return rows?
And why doesn't SELECT * FROM users WHERE password='1'='1'; work?
What's the exact equal operator compare rule used?
UPDATE(INFORMATION OF TABLES AND ROWS ETC):
mysql> show tables;
+------------------+
| Tables_in_shengy |
+------------------+
| users |
+------------------+
1 row in set (0.00 sec)
mysql> describe users;
+----------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
| username | varchar(255) | YES | | NULL | |
| password | varchar(255) | YES | | NULL | |
+----------+--------------+------+-----+---------+-------+
2 rows in set (0.01 sec)
mysql> select * from users;
+----------+----------+
| username | password |
+----------+----------+
| victim | 123456 |
+----------+----------+
1 row in set (0.00 sec)
MySQL converts compares to 0 and 1.
So password='a' evaluates to 0 (unless password actually is 'a').
Also MySQL tries to make comparisons between strings and numbers by converting the string to a number from its beginning.
So 0abc would be converted to 0. abc isn't a number at all and is also 0.
That means
password='a'='mm'
results in
0='mm'
and since mm does not have any leading digits, you get
0=0
which is true.