Example
In order to summarize all the topics, we are going to test an application with an SQL injection bug.
Here, we have an application with a simple form that has a field vulnerable to SQL injection:
To confirm the vulnerability, we are going to test the string '1
or 1==1--
:
The use of the string generates an error in the application. It indicates that there is a problem because of the single quote. However, this string was not evaluated by the DBMS as a TRUE
value. To extract all the registers in the table, we are going to use another equivalent string to get these registers:
Basically, the string is the same thing, just a statement to force the SQL query to evaluate the TRUE
statement. In this case, the application responds with all the registers. To better understand what is happening, let's see the following SQL query:
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
The application is waiting for a number identified by the id
parameter; when we enter aTRUE
value...