GCIH · Question #629
An attacker has determined a web application is running the SQL command shown below. What could she enter for VALUE to get a list of all email addresses in the employee table and avoid syntax errors?
The correct answer is A. ' or 1=1;--. This is a classic SQL injection where a single quote closes the string literal and -- comments out the trailing syntax, injecting an always-true condition to return all rows.
Question
An attacker has determined a web application is running the SQL command shown below. What could she enter for VALUE to get a list of all email addresses in the employee table and avoid syntax errors? select email from employee where name = '榌VALUE]';
Options
- A' or 1=1;--
- B' or select email from employee
- Cor select email from employee
- Dor 1=1
How the community answered
(24 responses)- A71% (17)
- B8% (2)
- C17% (4)
- D4% (1)
Why each option
This is a classic SQL injection where a single quote closes the string literal and -- comments out the trailing syntax, injecting an always-true condition to return all rows.
Entering ' or 1=1;-- transforms the executed query into: select email from employee where name = '' or 1=1;-- '; the leading apostrophe closes the open string literal in the WHERE clause, 'or 1=1' creates a condition that is always true causing all rows and thus all email addresses to be returned, and the -- SQL comment marker causes the database engine to ignore the trailing apostrophe from the original query, preventing a syntax error.
' or select email from employee would produce a syntax error because placing a bare SELECT statement after OR in a WHERE clause requires a valid subquery form with parentheses, and the original trailing apostrophe from the query would remain uncommented.
or select email from employee lacks a leading apostrophe to break out of the open string literal, so the entire input is interpreted as the literal string value being searched rather than injected SQL syntax.
or 1=1 does not begin with an apostrophe to escape the string context, so the input is treated as a literal string value within the surrounding quotes rather than executable SQL logic.
Concept tested: SQL injection string termination and comment bypass
Source: https://owasp.org/www-community/attacks/SQL_Injection
Topics
Community Discussion
No community discussion yet for this question.