SQL Inyection

Hi guys, thanks for reading.

In this query without sanitization (in MySQL):

SELECT * FROM logins WHERE username= AND password= ;

I can bypass this with username= 'or ‘1’='1 and the same for password.

I know that if I input username= whatever’ or ‘1’='1 then I log in with user “whatever” meanwhile “whatever” exists in the logins table and I no need to bypass password field.

But I don’t understand why if I input username= whatever and password= 'or ‘1’='1, I log in but not like user “whatever”. I don’t catch the point…

The Operator Precedence of MySQL could be the answer.

First case

SELECT * FROM logins WHERE username='foo' OR '1'='1' AND password='bar'

Insert brackets to show the operator precedence:

SELECT * FROM logins WHERE username='foo' OR ('1'='1' AND password='bar')

Reduce the constant part:

SELECT * FROM logins WHERE username='foo' OR (true AND password='bar')

Reduce the constant part:

SELECT * FROM logins WHERE username='foo' OR password='bar'

If foo is a user name in the logins table or if bar is a password in the logins table, then a record will be found and a login is possible.

Second case

SELECT * FROM logins WHERE username='foo' AND password='bar' OR '1'='1'

Insert brackets to show the operator precedence ⇨

SELECT * FROM logins WHERE (username='foo' AND password='bar') OR '1'='1'

Reduce the constant part:

SELECT * FROM logins WHERE (username='foo' AND password='bar') OR true

Reduce the constant part:

SELECT * FROM logins WHERE true

In this case the condition is simply true, so the username foo and the password bar are not checked.

I mean a quick and dirty is just to comment out the password part.
This is a very simple form of sql.

you could put the user example'--+- and not even need a password

there are many ways to comment out the line though so you have to play with it a bit sometimes.

The information above is super legit though. 100%

Many thanks to both, I think that I understand better SQL inyection now.