312-50V11 · Question #194
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is
The correct answer is B. Single quote. When testing for SQL injection, a single quote is the standard first character used because it attempts to terminate the string literal in the SQL query, potentially breaking its syntax and revealing vulnerability.
Question
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request?
Options
- ASemicolon
- BSingle quote
- CExclamation mark
- DDouble quote
How the community answered
(50 responses)- A2% (1)
- B90% (45)
- C2% (1)
- D6% (3)
Why each option
When testing for SQL injection, a single quote is the standard first character used because it attempts to terminate the string literal in the SQL query, potentially breaking its syntax and revealing vulnerability.
A semicolon is used to terminate SQL statements and can be useful in chaining queries, but it is not the first character used to detect injection vulnerability since it does not break string context.
A single quote (') is the primary delimiter for string literals in SQL. Injecting it into an input field attempts to close an open string, which can cause a syntax error or alter query logic, confirming that user input is being interpolated directly into a SQL statement without sanitization or parameterization.
An exclamation mark has no special meaning in standard SQL syntax and would not cause a query to break or reveal injection susceptibility.
A double quote is a delimiter in some databases (like MySQL in ANSI mode or PostgreSQL for identifiers), but the single quote is the universal standard starting point for SQL injection testing across all major RDBMS platforms.
Concept tested: SQL injection initial string delimiter testing
Source: https://owasp.org/www-community/attacks/SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.