it is a pretty neat idea actually... based in facts like most sql servers allow multiple queries with use of a ';'
eg:
query1;quert2;
so imagine a query
select money from salary where name="(an input from textbox!!)"
if I input mayur.. it should give my salary..
if i write the line below in the textbox...
mayur";update salary SET money=1000000000 where name="mayur
the queries executed are:
1)select money from salary where name="mayur";
& 2)update salary SET money=1000000000 where name="mayur"
so I am rich now!!!..
also for login if we checkin sql password="(input from textbox)"
for input
haha" OR "1"="1
you'll be logged in!!! no need to know the password...
eg:
query1;quert2;
so imagine a query
select money from salary where name="(an input from textbox!!)"
if I input mayur.. it should give my salary..
if i write the line below in the textbox...
mayur";update salary SET money=1000000000 where name="mayur
the queries executed are:
1)select money from salary where name="mayur";
& 2)update salary SET money=1000000000 where name="mayur"
so I am rich now!!!..
also for login if we checkin sql password="(input from textbox)"
for input
haha" OR "1"="1
you'll be logged in!!! no need to know the password...
