Reputation: 63
SQL Injection using only password input
In class we're now learning about SQL injection attacks and my professor showed us examples where we either use only the username input for the attack, or both the username and password.
I started reading about SQL injection more and found that you can create attacks by typing 'admin' or 'xx' into the username input and then primarily using the password input for the attack.
My question is, is it possible to perform a SQL injection attack using only the password input and typing nothing in the username input?
EDIT: This question is in the context of using a SQL injection attack on a database via the password box of a login page of a website.
Upvotes: 0
Views: 3379
Answers (3)
Reputation: 157839
If you're asking this, then your professor failed with explanation. He's not alone, though.
Most people in the world do confuse the injection and the exploit. Taking one for the another.
What your professor demonstrated to you was exploit. Yes, various particular exploits involve various particular query parts. But the principle of injection is breaking of the query integrity. That's all. As long as you can inject any code into query, it is vulnerable. Will you be able to exploit it or not - that's another matter, one have to learn SQL, not injections for this.
But the point of injection is just breaking of query integrity. And for this matter it doesn't matter, be it password or "remember me" checkbox. Comprehensible?
For the better understanding I'll recommend you an article, I wrote aiming protection from injections, but it surely can help you to understand the injection too. The first three chapters and appendices could be of the most help. Here it goes: The Hitchhiker's Guide to SQL Injection protection
Upvotes: 1
Reputation: 9
Yes it's possible depends on how code is written to validate . If code is written only to get a true/false result set. You can very much anything to get a true result and get into application . For example select '1' from xyz where username='xxx' or yy=yy
Upvotes: 0
Reputation: 93636
is it possible to perform a SQL injection attack using only the password input and typing nothing in the username input?
Yes.
Upvotes: 5
Related Questions
- Prevention of SQL injection in password input field? PHP
- Security PHP login SQL injection
- SQL Injection for My PHP Site
- PHP secure login authentication against SQL Injection
- Simple sql injection solution for login forms?
- PHP and SQL Injection
- Protect against SQL injection
- Is this PHP login technique safe considering SQL injection?
- SQL injection login bypass
- Preventing SQL injection using ONLY php