Query about SQL Injection in webpages

Question

Suppose you have a webpage requires you to input your username and password for authentication.

The username name "abs" and the password is "1234abcd" - you gain entry to the your profile.

But my question is, why is that if I input "abs' --" in the username field and no password, it still returns my profile page?

What is happening behind the scenes with the server, SQL and user?

I just cant seem to understand this. Thanks guys for any help.

Without any code no one can help you. Frameworks? Login Process? Please give us information — Kevin Kendzia, Dec 08 '16 at 11:15
If that is what happens, then the server-side code is horribly broken. — Thilo, Dec 08 '16 at 11:20
Maybe the reason you don't understand it is that you didn't know that `--` starts a comment in SQL. — Barmar, Dec 08 '16 at 11:37

score 0 · Answer 1 · answered Dec 08 '16 at 11:34

0

You're apparently substituting the parameters into your SQL string without escaping them. The code presumably looks something like:

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

So after your inputs are substituted, the result is:

SELECT * FROM users WHERE username = 'abs' --' AND password = ''

The quote in the username you entered is terminating the string. Then the -- starts a comment, so the rest of the query is ignored. So you've transformed the query to just:

SELECT * FROM users WHERE username = 'abs'

and it no longer checks the password.

answered Dec 08 '16 at 11:34

Barmar

741,623
53
500
612

I understand, but how would you protect yourself from this? – user3023117 Dec 08 '16 at 11:43
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Barmar Dec 08 '16 at 11:48
1

It's the first question in the **Related** sidebar. It's one of the most upvoted questions on SO. How could you miss it? – Barmar Dec 08 '16 at 11:49

Query about SQL Injection in webpages

1 Answers1