What is the meaning of "something AND 1=0" command in SQL?

Question

I have read somewhere that in SQL injection attacks the attackers use such keywords into application entry points. Whats the purpose of doing this?

Please do more research before asking. As the site's page explains, this site is for for Information Security professionals. If you have a question about a basic topic like SQL injection, I expect you to do research first to read existing resources about SQL injection before asking here. In this case, your question is well covered by existing resources, so there would not be a lot of point in us duplicating all of those existing resources. Why don't you tell us what study and research you have done and what specifically you found confusing? — D.W., Sep 25 '14 at 22:54
Also in the future you should give the precise reference where you saw this, so people have enough context to explain it for you. — D.W., Sep 25 '14 at 22:56
@mac For balance, we also have the [Ask] page, clearly stating prior research requirement. Mostly to avoid needless duplication of contents, but it should also prevent trivial questions being asked. — TildalWave, Sep 26 '14 at 12:19

score 20 · Accepted Answer · edited Sep 25 '14 at 12:03

20

The fragment AND 1=0 always evaluates to false and therefore the query always returns an empty set, e.g. if the SQL fragment in the application is

SELECT * FROM users WHERE username = '<placeholder>'

then I can turn this query to

SELECT * FROM users WHERE username = 'admin' AND 1=0 --'

when using admin' AND 1=0 -- as value for the placeholder.

I can now insert a second statement which is executed instead of the intended one, e.g.

SELECT * FROM users WHERE username = 'admin' AND 1=0; TRUNCATE TABLE users; --'

Here I will empty the table users as attack.

Another thing used is OR 1=1 which always evaluated to true. This is used to query a whole table and eliminate the where-caluse completely, e.g.

SELECT * FROM users WHERE username = 'admin' OR 1=1 --'

This is achieved by using admin' OR 1=1 -- as the placeholder in the above example.

In this case the complete table users will be returned.

edited Sep 25 '14 at 12:03

Adi

44,095
16
138
170

answered Sep 25 '14 at 10:08

Uwe Plonus

2,287
14
14

1

Why not just say SELECT * from users, why do you need to add the additional WHERE statement? – GdD Sep 25 '14 at 10:32
9

@GdD, remember this is an attack against a website. The website's original code is "SELECT * FROM users WHERE username = " and you enter "'admin' OR 1=1" If you concatenate these values you get "SELECT * FROM users WHERE username = 'admin' OR 1=1" which will return the whole user table. – Chris Murray Sep 25 '14 at 11:05
1

@GdD edited answer to be more clear. – Uwe Plonus Sep 25 '14 at 11:32
1

Ah, I see @ChrisMurray, because the value is not sanitized it will simply run it as-is. – GdD Sep 25 '14 at 11:50
1

Since … OR 1=1 is true for all records, you may also alter/delete all records if it’s not a SELECT but an UPDATE or DELETE statement which gets executed. – Gumbo Sep 25 '14 at 12:58
1

or it could be someone's legitimate name – Tymric Sep 25 '14 at 13:13
@Timmy You’ll never need to link to that comic again, because there is an actual company in Poland called Dariusz Jakubowski x'; DROP TABLE users; SELECT '1 to fulfill your needs. – kinokijuf Sep 25 '14 at 21:15

score 6 · Answer 2 · answered Sep 25 '14 at 10:07

1=0 is always false, so a clause containing AND 1=0 will also always be false. This, like the always-true OR 1=1, can be used to bypass the conditions in a WHERE clause.

The OR 1=1 variant is more generally useful (eg. SELECT username WHERE userid=173 to get your username becomes SELECT username WHERE userid=173 OR 1=1 to get every username on the system), but the AND 1=0 variant can, for example, be used to bypass a "is this user already registered" check.

What is the meaning of "something AND 1=0" command in SQL?

2 Answers2