The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

SELECT * FROM users WHERE username = ‘admin’

and so the password check has been bypassed altogether.

Suppose that the attacker does not know the username of the administrator.

In most applications, the first account in the database is an administrative user,

because this account is normally created manually and then used to generate

all other accounts via the application. Further, if the query returns the details

for more than one user, most applications will simply process the first user

whose details are returned. An attacker can often exploit this behavior to log in

as the first user in the database by supplying the username:

‘ OR 1=1-- 

This causes the application to perform the query

SELECT * FROM users WHERE username = ‘’ OR 1=1--‘ AND password = ‘foo’

which because of the comment symbol is equivalent to

SELECT * FROM users WHERE username = ‘’ OR 1=1

which will return the details of all application users.