312-50V12 · Question #9
312-50V12 Question #9: Real Exam Question with Answer & Explanation
The correct answer is D: select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'. SELECT Count() FROM Users WHERE UserName='Blah' or 1=1 --' AND Password='Springfield' SQL Query Executed : SELECT Count() FROM Users WHERE UserName='Blah' or 1=1 Code after -- are now comments : --' AND Password='Springfield'
Question
Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following credentials: Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?
Options
- Aselect * from Users where UserName = 'attack' ' or 1=1 -- and UserPassword = '123456'
- Bselect * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456'
- Cselect * from Users where UserName = 'attack or 1=1 -- and UserPassword = '123456'
- Dselect * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'
Explanation
SELECT Count() FROM Users WHERE UserName='Blah' or 1=1 --' AND Password='Springfield' SQL Query Executed : SELECT Count() FROM Users WHERE UserName='Blah' or 1=1 Code after -- are now comments : --' AND Password='Springfield'
Topics
Community Discussion
No community discussion yet for this question.