If I ask you one question to what SQL injection is, your answer will be either I don’t know or I know. Now my question for those who say I know is? What do you really know about SQL injections? You may say it is a way for an un authenticated person to get access of system without having any kind of login credentials. Now if I will ask how? You may say it’s easy; I will just enter following code in login box instead of entering valid proper login details
Username as a’or’1’=’1 and password as a’or’1’=’1
Now I will ask you do you know what you are doing here. Now confused :).No Problem, here is the chance for you to know about this
When you open a login page , you enter your login information , now the Web applications access databases to match this information in its database table , if it matches then it will provide you the access of system else it will display you error message
In order to access database an application fires SQL Query in the following form
Select * from users where username = xyz and password = abc;
Here we are passing xyz as arguments that you have entered in username field and abc as password, it is like a condition that whether there exists and data with username = xyz and password = abc. Now in SQL Injection what you are actually doing is manipulation of this SQL query.
When we enter username and password as a’or’1’=’1 , it makes the condition “where username = ‘’ and password = ‘’ “ true since a’or’1’=’1 is always true , hence condition will be satisfied and it will provide you access of system, but it will only provide you access of any random account , if you know username then you can enter username and password as a’=’1’=’1 , it will give you access of account of desired username
This is commonly known as Blind SQL Injection.
When we enter username and password as a’or’1’=’1 , it makes the condition “where username = ‘’ and password = ‘’ “ true since a’or’1’=’1 is always true , hence condition will be satisfied and it will provide you access of system, but it will only provide you access of any random account , if you know username then you can enter username and password as a’=’1’=’1 , it will give you access of account of desired username
This is commonly known as Blind SQL Injection.
So with this i will complete my post, in next part we will explore it further, if anyone having any confusion regarding this ,then feel free to ask
Warning :- The above post is just for knowledge , please don’t use it in wrong way otherwise you may face its serious consequences
