The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

In some situations, a simple SQL injection vulnerability may have an immedi-

ately critical impact, regardless of any further attacks that could be built upon

it. Many applications that implement a forms-based login function use a data-

base to store user credentials and perform a simple SQL query to validate each

login attempt. A typical example of this query is:

SELECT * FROM users WHERE username = ‘marcus’ and password = ‘secret’

This query causes the database to check every row within the users table

and extract each record where the 

username

marcus

the 

column has the value 

secret

. If a user’s details are returned to

ates an authenticated session for that user.

As with the search function, an attacker can inject into either the username

or the password field to modify the query performed by the application, and

so subvert its logic. For example, if an attacker knows that the username of the

application administrator is 

admin

, he can log in as that user by supplying any

admin’-- 

This causes the application to perform the following query:

SELECT * FROM users WHERE username = ‘admin’--‘ AND password = ‘foo’