You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
UPDATE users SET email = "[email protected]" WHERE id = %inject%
Injecting OR 1=1 hits every record in the table
Now, this is a fringe case and bad example as id is very unlikely controllable by user input but it gets the point.
Injecting logical operators can result in damage if said operator controls which record(s) the query is hitting.
Another example is commenting out the rest of the query.
In the previous example if email is injectable something like x" -- can unintentionally wreck havoc UPDATE users SET email = "x" -- " WHERE id = 1
Feature Request:
Create a wordlist for safe SQL Injection fuzzing that doesn't contain dangerous parameters
Additional context:
Logical operators like
' OR 1=1
can be dangerous if successfully injected on a DELETE or UPDATE query.The text was updated successfully, but these errors were encountered: