nerdexam
EC-Council

312-50V10 · Question #194

A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is

The correct answer is B. Single quote. In SQL injection testing, the single quote is the canonical first character used to probe whether user input is being sanitized and passed directly into a SQL query.

SQL Injection

Question

A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request?

Options

  • ASemicolon
  • BSingle quote
  • CExclamation mark
  • DDouble quote

How the community answered

(43 responses)
  • A
    5% (2)
  • B
    86% (37)
  • C
    7% (3)
  • D
    2% (1)

Why each option

In SQL injection testing, the single quote is the canonical first character used to probe whether user input is being sanitized and passed directly into a SQL query.

ASemicolon

A semicolon is used in SQL injection to chain additional statements, but it is not the first character used to test for vulnerability - it presupposes injection is already possible.

BSingle quoteCorrect

A single quote (') is used to attempt to break out of the string context in a SQL statement, which can cause a syntax error or expose underlying query structure if the input is not properly sanitized. If the application returns a database error after submitting a single quote, it confirms that raw input is being interpolated into the SQL query. This is the standard first probe in manual SQL injection testing because it directly tests string delimiter handling.

CExclamation mark

An exclamation mark has no special meaning in standard SQL syntax and would not break a query or reveal injection points.

DDouble quote

A double quote may be valid in some database dialects but is not the universally recognized first probe character for SQL injection testing.

Concept tested: SQL injection initial probe character identification

Source: https://owasp.org/www-community/attacks/SQL_Injection

Topics

#SQL injection#single quote#input validation#injection testing

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice