Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?

Suppose that you test an application for the SQL injection vulnerability. You know that the backend database

is based on Microsoft SQL Server. In the login/password form, you enter the following credentials:

Username: attack’ or 1»1 –

Password: 123456

Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?
A . select * from Users where UserName =’attack or 1=1 -and UserPassword = ‘123456"
B . select * from users wherefuserName = ‘attack’ or 1=1 –‘and UserPassword = ‘123456’
C . select * from Users where UserName =’attack" or 1=1 -and UserPassword = ‘123456’
D . select * from users where UserName"’attack’or 1=1 – and UserPassword "’123456′

View Answer

Answer: D