I am learning about SQL injection. There is a regular statement that reads:
"select * from users where username = '" + getUsername() + "'" + " and " + "upassword = " + "'" + getPassword() + "'";
From what I have learnt, it is possible to perform a SQL injection attack by providing this password:
a' or '1' = '1
I will get all table entries from the database. But when I attempted to provide a user name as following:
' or select user from dual where '1' = '1'--
I got nothing in return. My understanding is with my username input as above, the regular statement would become:
select * from users where username = '' or select user from dual where '1' = '1'--
This should give me the current user. May I ask what has gone wrong here?
Update:
I managed to get it to work by modifying it a bit:
' union select * from users--
Now I got a whole list of username from the database.
Thanks
or select user from dual
is not a literal string rather it seems you are trying to pass in another query. If you want to pass a string literal then quote it using single quote.