Questions about this topic? Sign up to ask in the talk tab.
SQL injection/Basics/Testing/WHERE clause
From NetSec
- SQL injection > Basics > Testing > WHERE clause
The most reliable of tests consist of boolean challenges that filter the results a query returns combined with arithmetic operators. Boolean challenges will return zero rows if conditions are not met, whereas they will return the same value if the conditions are met. This way researchers are able to determine vulnerability via a "true/false" test.
- In the first example (using $id) we have an unsanitized integer. The URI (uniform resource indicator) may look something like:
/article_by_id.php?id=10
- A researcher could check that URI against:
/article_by_id.php?id=10%20AND%201=1 and /article_by_id.php?id=10%20AND%201=0
- When a page is vulnerable, the page on
/article_by_id.php?id=10%20AND%201=1
will match the page on:
/article_by_id.php?id=10
however the page at:
/article_by_id.php?id=10%20AND%201=0
will have data (and likely the entire article) missing.
- In the second example, using $title, the same affect can be achieved on an unsanitized string with the following URI's:
/article_by_title.php?id=SQL%27%20AND%20%271%27=%270 /article_by_title.php?id=SQL%27%20AND%20%271%27=%271
The same methodology as the integer test applies, merely with added single quotes (%27).