0

I'm Reading book about sql and I see some statements using or/and and I don't understand them:

this is the main statement:

SELECT ∗
FROM administrators
WHERE username = ’’ AND password = ’’;

if some one try to do an sql bypass , he will do this:

SELECT ∗
FROM administrators
WHERE username = ” OR ‘1’=‘1’ AND password = ”;

or this 

SELECT ∗
 FROM administrators
 WHERE (username = ’’) OR (‘1’=‘1’ AND password = ’’);

how these 2 statements get the same results, I don't understand how AND/OR works in theses statements ..

and the last question how these statements return all value in database (bypass the auth):

select *
from users
where (username = '') or (1=1) or (1=1 AND password = '')  ;

OR

SELECT ∗
 FROM administrators
 WHERE username = ’’ AND
       password = ’’ OR
       1’=‘1’;
Cœur
  • 37,241
  • 25
  • 195
  • 267
justlearn2
  • 31
  • 1
  • 4
  • 1
    Aside from the duplicate answer for SQL Logic Operator above, read-up on SQL-INJECTION. Never build a SQL command with direct values coming from an uncontrolled source (such as web). Always parameterize your queries. – DRapp Oct 06 '18 at 11:40

2 Answers2

0

In simple explanations:

SELECT ∗ FROM administrators WHERE username = ” OR ‘1’=‘1’ AND password = ”;

Here if the username exists and password is wrong, it will return all columns for that username else returns nothing.

SELECT ∗ FROM administrators WHERE (username = ’’) OR (‘1’=‘1’ AND password = ’’);

This returns the same thing as the above, the brackets don't matter.

SELECT ∗ FROM administrators WHERE username = ’’AND password = ’’  OR ‘1’=‘1’ ;

This makes a difference, even if both username and password are wrong, it will return the full * columns. [best option for a SQL injection for full table data]

select * from users where (username = '') or (1=1) or (1=1 AND password = '') ;

same results as above

Its easy to think of it this way: any AND/OR condition introduced after where is paired for the first constraint, any other introduced after that is a constraint of its own. 

WHERE condition1 OR/AND condition1-pair AND separate condition
comphonia
  • 521
  • 3
  • 10
0

You can consider AND as multiplication, OR as addition, true statement as 1 and false statement as 0. For example statement

SELECT  .... WHERE y = 0 AND x < 1 OR 1 = 1

    will always be true, because 
    1*1 + 1 = 1
    0*0 + 1 = 1
    1*0 + 1 = 1

(0 and 1 are Boolean, not decimal)

Mike Twc
  • 2,230
  • 2
  • 14
  • 19