Take a guess
Before hacking the system shown just try to guess a user name and password (bill and ben for example). Unless you are very lucky you will not get into the system.
Force an Error
If you enter a string with a single quote in it such as O'Brien for either user name or password you will get a Software Error as the SQL is invalid and cannot be parsed.
Force Entry
If you enter the string ' OR ''=' as both user name
and password you can ensure that the WHERE
clause always returns true. Without knowing any user names or passwords you can by-pass the log in screen. In this example you get the user name of the first person in the table. The magic string works because it program evaluates:
SELECT name from users WHERE name='name'
AND password='password' as the 'always true' string: SELECT name from users WHERE name=''
OR ''='' AND password='' OR ''=''
next page
Find password using sql injection
0 comments:
Post a Comment