Subverting SQL logic
SELECT * FROM logins WHERE username='admin' AND password = 'p@ssw0rd';For instance lets say the above query is what is used when a user logins. Since we wont be able to see this if we were actually attempting SQLi we need to imagine this is what it may be
When looking at this we need to realize where our doors are. They are the two strings since thats what we would enter in the login form.
before we attempt to even subvert the logic of the SQL query we need to see if we can get our foot in the door. A quick and non complex check would be the following characters and their URL encoded versions
' " # ; )
You would be able to subvert the top query with the OR statement