312-49 Question #421: Real Exam Question with Answer & Explanation

Question

What will the following command produce on a website login page? SELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]'; DROP TABLE members; --'

Options

• ARetrieves the password for the first user in the members table
• BThis command will not produce anything since the syntax is incorrect
• CDeletes the entire members table
• DInserts the Error! Reference source not found. email address into the members table

Explanation

Option C is correct because the injected input uses a semicolon (;) to terminate the original SELECT statement early, then executes a second, fully valid DROP TABLE members statement - which permanently destroys the entire table. The trailing -- is a SQL comment that neutralizes any leftover syntax (the closing quote), preventing a parse error and allowing both statements to run successfully.

Why the distractors are wrong:

• A is wrong because the SELECT clause targets a specific email address, not the first user, and the real damage comes from the DROP TABLE, not the select.
• B is wrong because the syntax is valid - this is a real, working SQL injection attack; many databases support multiple statements separated by semicolons.
• D is wrong because there is no INSERT statement anywhere in the command; no data is being added.

Memory tip: Think of ; as a "period" that ends one SQL sentence and starts a new, attacker-controlled one - and -- as the attacker "whiting out" the rest of the original line. Any time you see ; DROP TABLE in a SQL injection question, the answer almost always involves data destruction, not retrieval or insertion.

No community discussion yet for this question.