Prerequsite Knowledge
Before you dive into this section, it is recommended you read the explanation of SQL Injection first if this is your first time learning SQL injection.
How to do SQL injection with equals operator?
The second challenge server is slightly more secure. The website admin has finally decided to ban all SQL commenting characters in the input fields. This time, instead of removing the password check altogether, we can instead make the server ignore the failed password check instead.
When the server tries to sign you in, the server is looking for a user that matches the conditions of having the specific username and password. By tacking on the classic OR 1=='1'
to the end of the query, the SQL query will match every item in the user database.
For example, if you input an empty username and the password ' OR '1' == '1
, the query becomes.
SELECT * FROM logins WHERE
username =
'' AND password = '' OR
'1'== '1'
The first quote mark closes the password query, which will return false because the password is not ''. The OR
tacks on another argument, '1'=='1'
, which is always true. Because False OR True evaluates to True, this query will match every user in the database.