The main idea behind SQL injection attacks is to be able insert text which becom

Question

The main idea behind SQL injection attacks is to be able insert text which becomes part of the SQL command. Consider the following SQL statement that uses an incorrect password value:

mysql> select name, lastlogin from user where name='alice' and pass='KingKong';

Without erasing anything from the command, add characters so that whatever is typed for the password becomes irrelevant. You’ll want to look at the SQL comment characters --, which behave much like // in Java and C++. Note that you’ll probably need a space after the - - to get things to work. Also, you should only insert characters immediately before the word ‘and’ above. If you are inserting them anywhere else, you are off on the wrong track and probably won’t be able to complete the lab correctly.

Explanation / Answer

The rules for the above question gets applicable in the below ways:

A comment can appear between any keywords, parameters, or punctuation marks in a statement. You can include a comment in a statement in two ways:

**************************************************************************

Find the below encrypted query

select name,   
lastlogin from user
where name='alice' -- name: my name is alice '
and pass='KingKong'; -- boom!', 'Whatever')

Begin the comment with a slash and an asterisk (/*). Proceed with the text of the comment. This text can span multiple lines. End the comment with an asterisk and a slash (*/). The opening and terminating characters need not be separated from the text by a space or a line break.

Begin the comment with -- (two hyphens). Proceed with the text of the comment. This text cannot extend to a new line. End the comment with a line break

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.