# MySQL Injection With Apostrophe Question

## dman777

I was reading the tutorial on hardening a php web server. In it they show an exploit with an SQL enjection:

```
$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");
```

If they user types: 

```
' OR 1=1 #
```

 in the username field box the code would look like:

```
SELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = ''
```

What I don't understand is how does just one apostrophe make Username = '".$_POST['username']."' into Username = ''? To me,with variable expansion in a even set of single quotes would make a total of 3 quotes with: Username = '''.

----------

## sebaro

str1 = SELECT Username, Password FROM Users WHERE Username = '

str2 = ' OR 1=1 #

str3 = ' and Password = '

str4 =

str5 = '

str = SELECT Username, Password FROM Users WHERE Username = ' . ' OR 1=1 #' . and Password = ' . '

str = SELECT Username, Password FROM Users WHERE Username = ' ' OR 1=1 #' and Password = ''

Try it in a shell:

# user="' OR 1=1 #";pass="";echo "SELECT Username, Password, UserLevel FROM Users WHERE Username = '$user' and Password = '$pass'"

----------

## athena810

normally, for sql injection, it works with a form. like a username password form.

```

Username: ' or 1=1--

Password: ' or 1=1--

```

And there's a lot of variations. Like, 'admin or 1=1-- works for the username sometimes if you know that the username is admin. 

It's basically saying that whatever it is (admin, root) equals 1=1 which is true so user gets access. 

Actually, this trick rarely works anymore. 

Most people look for databases. You can test if a site is vuln to an sqlinjection because it will look something like this:

http://www.blah.com/index.php?id=2

Anything with php?id=[a number] normally is vuln to an sqli. 

People like to go on google and search

```
inurl:php?id=
```

 which normally will give you a nice list of sqli vuln sites.

You test it by adding a ' after the URL, then refresh it. If anything looks different than what was original then it is sqli vuln. 

However, it cannot come up as a 404 not found...that won't work. 

Like everyone likes to sqli this site: http://www.cooksnotebook.com/recipe.php?id=75

But no one ever actually has the time to go through the hashes.

----------

