0

I have been told that the method of escaping single quotes is easy to bypass in a sql injection attack. For example, if I were to have the line:

username='admin' and password='$password'

where the user types in "$password", and any single quote they type gets replaced by a double quote, could you give me an example command that would break this? I know the backslash character ( \ ) is used to escape a character, but I'm not sure how it would work out still.

Logan
  • 1,172
  • 9
  • 23
  • 1
    The first problem you have is that you're storing passwords in plain text. You might want to read this article: http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/ – BoltBait Feb 13 '16 at 00:04
  • Ask him/her for a proof of concept. – Gumbo Feb 13 '16 at 08:39

0 Answers0