SQL injection ,why should you write 0 or 1=1

Question

In SQL injection, why should you use 0 or 1=1, isn't this automatically evaluated as 1 in boolean operation? I don't understand why we should write it that way. Can someone explain?

Thanks in advance

David · Accepted Answer

Because it makes the condition always true.

For example, if someone's SQL code is:

string query = "SELECT * FROM Users WHERE Password = '" + somePassword + "'";

(Username clause omitted for brevity.)

Then you can enter something like this as the password:

' OR 1 = 1;--

Which would make the resulting query:

SELECT * FROM Users WHERE Password = '' OR 1 = 1;--'

The semicolon ends the statement, and -- denotes a comment so everything thereafter is ignored. So it simplifies to:

SELECT * FROM Users WHERE Password = '' OR 1 = 1

This will match all records in the table. Always. Because 1 = 1 is always true. Depending on how the application handles this response, you may be logged in. Perhaps even as the first user in the table, which is likely to be the admin user.

For SQL-injectable code, it's basically a universal password. (Provided you guess a correct username, which isn't difficult.)

Edit: I just noticed the 0 part of your question as well. This would be used when you expect the injected value to be looking for a number rather than a string. For example, consider a similar SQL statement:

string query = "SELECT * FROM Users WHERE Id = " + someID;

The leading 0 in the injected value prevents a syntax error. So the resulting query would be:

SELECT * FROM Users WHERE Id = 0 OR 1 = 1

Same concept as above. This will match all records every time.

SQL injection ,why should you write 0 or 1=1

Answers (2)

Related Questions