[WHERE clause allowing retrieval of hidden data] – [SQL injection vulnerability ]

Target:

• Lab URL : https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
• Tools Used: Browser

Vulnerability Summary：

• Type: SQL Injection
• Description: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Steps to Exploit：

1. Observed the URL and found 'filter?category' being sent as a query in a SELECT statement to the database, so tried modifying the WHERE clause
2. Guess that the command submitted to the database is: SELECT * FROM products WHERE category = 'Gifts' AND released = 1
3. Created the payload ?category=Gifts'+OR+1=1+-- to try to make it display all categories.

Impact：
an easy attack can cause the application to display all the products in any category, including categories that they don't want you know

Remediation：
Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

1. ' can terminate a string in SQL
2. As 1=1 is always true, the query returns all items
3. + represents a space
4. note that -- is a comment indicator in SQL