nerdexam
EC-Council

312-50V11 · Question #194

A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is

The correct answer is B. Single quote. When testing for SQL injection, a single quote is the standard first character used because it attempts to terminate the string literal in the SQL query, potentially breaking its syntax and revealing vulnerability.

SQL Injection

Question

A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request?

Options

  • ASemicolon
  • BSingle quote
  • CExclamation mark
  • DDouble quote

How the community answered

(50 responses)
  • A
    2% (1)
  • B
    90% (45)
  • C
    2% (1)
  • D
    6% (3)

Why each option

When testing for SQL injection, a single quote is the standard first character used because it attempts to terminate the string literal in the SQL query, potentially breaking its syntax and revealing vulnerability.

ASemicolon

A semicolon is used to terminate SQL statements and can be useful in chaining queries, but it is not the first character used to detect injection vulnerability since it does not break string context.

BSingle quoteCorrect

A single quote (') is the primary delimiter for string literals in SQL. Injecting it into an input field attempts to close an open string, which can cause a syntax error or alter query logic, confirming that user input is being interpolated directly into a SQL statement without sanitization or parameterization.

CExclamation mark

An exclamation mark has no special meaning in standard SQL syntax and would not cause a query to break or reveal injection susceptibility.

DDouble quote

A double quote is a delimiter in some databases (like MySQL in ANSI mode or PostgreSQL for identifiers), but the single quote is the universal standard starting point for SQL injection testing across all major RDBMS platforms.

Concept tested: SQL injection initial string delimiter testing

Source: https://owasp.org/www-community/attacks/SQL_Injection

Topics

#SQL injection#single quote#input validation#database attack

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice