nerdexam
GIAC

GCIH · Question #629

An attacker has determined a web application is running the SQL command shown below. What could she enter for VALUE to get a list of all email addresses in the employee table and avoid syntax errors?

The correct answer is A. ' or 1=1;--. This is a classic SQL injection where a single quote closes the string literal and -- comments out the trailing syntax, injecting an always-true condition to return all rows.

Web Application Attacks & Post-Exploitation

Question

An attacker has determined a web application is running the SQL command shown below. What could she enter for VALUE to get a list of all email addresses in the employee table and avoid syntax errors? select email from employee where name = '榌VALUE]';

Options

  • A' or 1=1;--
  • B' or select email from employee
  • Cor select email from employee
  • Dor 1=1

How the community answered

(24 responses)
  • A
    71% (17)
  • B
    8% (2)
  • C
    17% (4)
  • D
    4% (1)

Why each option

This is a classic SQL injection where a single quote closes the string literal and -- comments out the trailing syntax, injecting an always-true condition to return all rows.

A' or 1=1;--Correct

Entering ' or 1=1;-- transforms the executed query into: select email from employee where name = '' or 1=1;-- '; the leading apostrophe closes the open string literal in the WHERE clause, 'or 1=1' creates a condition that is always true causing all rows and thus all email addresses to be returned, and the -- SQL comment marker causes the database engine to ignore the trailing apostrophe from the original query, preventing a syntax error.

B' or select email from employee

' or select email from employee would produce a syntax error because placing a bare SELECT statement after OR in a WHERE clause requires a valid subquery form with parentheses, and the original trailing apostrophe from the query would remain uncommented.

Cor select email from employee

or select email from employee lacks a leading apostrophe to break out of the open string literal, so the entire input is interpreted as the literal string value being searched rather than injected SQL syntax.

Dor 1=1

or 1=1 does not begin with an apostrophe to escape the string context, so the input is treated as a literal string value within the surrounding quotes rather than executable SQL logic.

Concept tested: SQL injection string termination and comment bypass

Source: https://owasp.org/www-community/attacks/SQL_Injection

Topics

#SQL injection#boolean injection#SQL syntax#database exfiltration

Community Discussion

No community discussion yet for this question.

Full GCIH Practice