72.2k views
5 votes
What is a commonly publicized password sql injection string?

User Ever
by
7.7k points

1 Answer

1 vote
The strings "or 1=1" and ""or ''=''" can be commonly used to trick an SQL WHERE clause into becoming true.

So if you specify ' or ''=' as a password, you can log in if the query string would be:

select username,pass from users where username='you' and password='' or ''='' limit 0,1;
User Tiago Coelho
by
7.5k points