When an order was submitted via the corporate website, an administrator noted special characters (e.g., “;–“
and “or 1=1 –“) were input instead of the expected letters and numbers.
Which of the following is the MOST likely reason for the unusual results?
The user is attempting to highjack the web server session using an open-source browser.
The user has been compromised by a cross-site scripting attack (XSS) and is part of a botnet performing
The user is attempting to fuzz the web server by entering foreign language characters which are
incompatible with the website.
The user is sending malicious SQL injection strings in order to extract sensitive company or customer data
via the website.
The code in the question is an example of a SQL Injection attack. The code ‘1=1’ will always provide a value of
true. This can be included in statement designed to return all rows in a SQL table.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL
statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is
either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not
strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.