Hello I am going through some SQL injection examples and I have the following scenario:
In this example, aware of the risk of SQL injection, the developer decided to block single quotes ' by removing any single quote ' in the query. However, there is still a way to break out of the SQL syntax and inject arbitrary SQL.
To do so, you need to think of the query:
SELECT * FROM users WHERE username='[username]' and password='[password]'
The problem here is that you cannot, in theory, break out of the single quotes ' since you cannot inject any quote. However, if you inject a back-slash \, the second ' in the query (the one supposed to finish the string [username] will be escaped and will be closed by the third one (the one supposed to start the string [password].
Doesn't this mean that if I input a "\" on the username field it will automatically break the query? and look something like
SELECT * FROM users WHERE username='[username] and password=' ..
Am I missing something ? Should I provide the backslash in another way?
No comments:
Post a Comment