[Solved] What’re the purposes of these special characters in SQL injection?

Question

This value:

admin');#

would terminate the SQL statement after the string “admin” and treat everything after as a comment. So this:

SELECT ID, name, locale, lastlogin, gender,
FROM USERS_TABLE
WHERE (name="$user" OR email="$user") AND pass="$pass"

essentially becomes this:

SELECT ID, name, locale, lastlogin, gender,
FROM USERS_TABLE
WHERE (name="admin")

A record is found and the system happily continues on its way, having logged the user in as 'admin' because the query successfully found that record.

Accepted Answer

This value:

admin');#

would terminate the SQL statement after the string “admin” and treat everything after as a comment. So this:

SELECT ID, name, locale, lastlogin, gender,
FROM USERS_TABLE
WHERE (name="$user" OR email="$user") AND pass="$pass"

essentially becomes this:

SELECT ID, name, locale, lastlogin, gender,
FROM USERS_TABLE
WHERE (name="admin")

A record is found and the system happily continues on its way, having logged the user in as 'admin' because the query successfully found that record.