SQL injection/Basics/Testing/WHERE clause

SQL injection > Basics > Testing > WHERE clause

The most reliable of tests consist of boolean challenges that filter the results a query returns combined with arithmetic operators. Boolean challenges will return zero rows if conditions are not met, whereas they will return the same value if the conditions are met. This way researchers are able to determine vulnerability via a "true/false" test.

• In the first example (using $id) we have an unsanitized integer. The URI (uniform resource indicator) may look something like:

 /article_by_id.php?id=10

• A researcher could check that URI against:

 /article_by_id.php?id=10%20AND%201=1
 and
 /article_by_id.php?id=10%20AND%201=0

• When a page is vulnerable, the page on

 /article_by_id.php?id=10%20AND%201=1

will match the page on:

 /article_by_id.php?id=10

however the page at:

 /article_by_id.php?id=10%20AND%201=0

will have data (and likely the entire article) missing.

• In the second example, using $title, the same affect can be achieved on an unsanitized string with the following URI's:

 /article_by_title.php?id=SQL%27%20AND%20%271%27=%270
 /article_by_title.php?id=SQL%27%20AND%20%271%27=%271

The same methodology as the integer test applies, merely with added single quotes (%27).

Most of today's security systems will easily identify and block simple testing methods like those illustrated above.