Found 'OR 1=1/* sql injection in my newsletter database

Question

I found the following in the \"e-mail\" field of my newsletter subscriber database: \' OR 1=1/*

I know it\'s a SQL injection, but that\'s it. I\'ve goog

Answer 1

It probably aimed to select all the informations in your table. If you use this kind of query (for example in PHP) :

mysql_query("SELECT * FROM newsletter WHERE email = '$email'");

The email ' OR 1=1/* will give this kind of query :

mysql_query("SELECT * FROM newsletter WHERE email = '' OR 1=1/*");

So it selects all the rows (because 1=1 is always true and the rest of the query is 'commented'). But it was not successful

• if strings used in your queries are escaped
• if you don't display all the queries results on a page...