Before hacking the system shown just try to guess a user name
and password (bill
and ben
for example).
Unless you are very lucky you will not get into
the system.
If you enter a string with a single quote in it such as O'Brien
for either user name or password you will get a Software Error as the
SQL is invalid and cannot be parsed.
If you enter the string ' OR ''='
as both user name
and password you can ensure that the WHERE clause always returns
true. Without knowing any user names or passwords you can by-pass
the log in screen. In this example you get the user name of the
first person in the table.
The magic string works because it program evaluates:
SELECT name from users WHERE name='name' AND password='password'
as the 'always true' string:
SELECT name from users WHERE name='' OR ''='' AND password='' OR ''=''