What are other ways to return true in SQL?
The third challenge server is slightly more secure than before. The website admin has finally decided to ban all SQL commenting characters and ==
in the input fields. This time, we can use other ways to return true.
When the server tries to sign you in, the server is looking for a user that matches the conditions of having the specific username and password. By tacking on the classic OR {true argument}
to the end of the query, the SQL query will match every item in the user database.
For example, if you input an empty username and the password ' OR 1 LIKE 2 OR ’
, the query becomes.
SELECT * FROM logins WHERE
username =
'' AND password = '' OR
1 LIKE 2 OR ’'
The first quote mark closes the password query, which will return false because the password is not ''. The OR
tacks on another argument, 1 LIKE 2
, which is always true. Because False OR True evaluates to True, this query will match every user in the database.
As you may have noticed, there are many ways to evaluate to true, such as:
'1'
because numbers greater than 0 evaluate to true. (SQL auto-casts strings to numbers)
TRUE OR '1'
TRUE is the SQL keyword that evaluates to true.
NOT FALSE
is same as above.
1 < 3
is true because 1 is less than 3.
3 > 2
is true because 3 is greater than 2.
2 LIKE 3
is true because 2 is of the same type as 3. (Both are integers)
2 BETWEEN 1 AND 3
is true because 2 is between 1 and 3.