-3

Trying to learn and understand SQL injection.

Can anyone explain to me why ' or 1=1; -- - allowed me to bypass authentication and or 1=1 did not?

Thom A
  • 88,727
  • 11
  • 45
  • 75
dr98
  • 5
  • 1
  • 1
  • 1
  • Start with this query: `SELECT 1 as Authenticated WHEN Password='$password' AND Username='dr98'` Now, replace $password with each of the values, verbatim. What is the difference in the resulting string-to-be-run-as-a-query? – user2864740 Mar 30 '20 at 21:29
  • Because `WHERE USername = 'MyUserName' AND PasswordHash = 'dsiahbgfdfohgbsdfjobghsl' OR 1=1` is true, and therefore you authenticated. This is why you never inject, and ***always*** parametrise. – Thom A Mar 30 '20 at 21:29
  • 1
    Which RDBMS are you interested in? You have tagged 3! – Dale K Mar 30 '20 at 21:30
  • 1
    `; --`, semi-colon terminates the statement, and `--` comments out the rest of the query. Need to see the full query to be sure why that works and the other doesn't. – Dale K Mar 30 '20 at 21:31

1 Answers1

7

Think of a query that is built using string concatenation:

"select * from myTable where id = '" + txtIdEnteredByUser +"'"

If the end user inputs:

' or 1=1; --

then the query becomes:

select * from myTable where id = '' or 1=1; --'

That is a valid query and always evaluates to true because of the (OR 1=1), as a result the whole table values are returned.

However, if the user input was:

or 1=1;

the query becomes:

select * from myTable where id = ' or 1=1;'

which is query that wouldn't return something (likely).

Cetin Basoz
  • 22,495
  • 3
  • 31
  • 39