so I have done the starting point box “appointment” and got a successful sql injection but I do not understand why the query actually works, as to my understanding it should not. Searching for an explanation as I would like to understand it.
In the walkthrough.pdf the query is shown to be:
SELECT * FROM users WHERE username=‘username’ AND password=‘password’
I have entered
It seems to be a mysql database since the walkthrough states that # is the character for comments and based on SQL injection cheat sheet | Web Security Academy only mysql has that. So my input does not comment out anything and therefore should not work (as long as there is no empty user but I confirmed that there isn´t with other inputs).
Does someone understand why my input works and gives me the flag?
thank you for your response.
I understand that there are multiple ways to comment in mysql and, as you also emphasized in your reply, in mysql the
only works as comment when it is trailed by a space. Thats exactly my problem. It works for me even when just entering
without a trailing space for username and password. But only if I entered it for both parameters at the same time. Thats what I do not understand. Why do I manage to login providing these without spaces?
So I ran a test, here’s an excerpt the php code they claim is running:
└─$ cat appointment.php
$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
└─$ php -f ./appointment.php
SELECT * FROM users WHERE username=''--' AND password=''--'