I have been told that the method of escaping single quotes is easy to bypass in a sql injection attack. For example, if I were to have the line:
username='admin' and password='$password'
where the user types in "$password", and any single quote they type gets replaced by a double quote, could you give me an example command that would break this? I know the backslash character ( \ ) is used to escape a character, but I'm not sure how it would work out still.
No comments:
Post a Comment