The basic database QUERY expression for a simple login is: [sql] SELECT * FROM users WHERE username = ‘phillip’ AND password = ‘taco’ [/sql] Which boils down to: “Login if T ∧ T” where in this case the first T is the result the database returns when username is in the database and the second is the result T is where password is in the database.
Note that, because of precedence rules for logical operators:
T ∧ F = F
but
T ∨ T ∧ F = T ∨ (T ∧ F) = T
and more importantly
F ∨ T ∨ T ∧ F = F ∨ T ∨ (T ∧ F) = T
Assume that “Phillip Cramer” is a username in the database. Now, if we are able to inject the ‘ character into the query string, we can inject
and we change the query into:
Which will yield a success because we have changed the boolean part of query to be T ∨ T ∧ F. However, this approach isn’t as useful, because we had to know that Philip Cramer was in the database.
If we modify the name to be:
then this makes the query:
Which will yield a success because we have changed the boolean part of query to be F ∨ T ∨ T ∧ F. The first F is generated because ‘wrongname’ isn’t in the database and the second F is generated because ‘wrongpassword’ isn’t in the database either; but this doesn’t matter because the whole statement is true.
-
Note there is no reason that this has to be SQL. Any database that takes creates queries from unchecked user input can have users create tautologies.
-
Modification: if the SQL string is unescaped such as:
Then you can leave out the ‘ injections.