The basic database QUERY expression for a simple login is: [sql] SELECT * FROM users WHERE username = ‘phillip’ AND password = ‘taco’ [/sql] Which boils down to: “Login if T ∧ T” where in this case the first T is the result the database returns when username is in the database and the second is the result T is where password is in the database.
Note that, because of precedence rules for logical operators:
T ∧ F = F
T ∨ T ∧ F = T ∨ (T ∧ F) = T
and more importantly
F ∨ T ∨ T ∧ F = F ∨ T ∨ (T ∧ F) = T
Assume that “Phillip Cramer” is a username in the database. Now, if we are able to inject the ‘ character into the query string, we can inject
and we change the query into:
Which will yield a success because we have changed the boolean part of query to be T ∨ T ∧ F. However, this approach isn’t as useful, because we had to know that Philip Cramer was in the database.
If we modify the name to be:
then this makes the query:
Which will yield a success because we have changed the boolean part of query to be F ∨ T ∨ T ∧ F. The first F is generated because ‘wrongname’ isn’t in the database and the second F is generated because ‘wrongpassword’ isn’t in the database either; but this doesn’t matter because the whole statement is true.
Note there is no reason that this has to be SQL. Any database that takes creates queries from unchecked user input can have users create tautologies.
Modification: if the SQL string is unescaped such as:
Then you can leave out the ‘ injections.