How 1=1 in WHERE clause will prevent sql injection? [Resolved]

Posted by Allemahesh under Sql Server on 3/26/2014 | Points: 10 | Views : 1306 | Status : [Member] [MVP] | Replies : 3
I have read that 1=1 in WHERE clause will prevent sql injection. I know that 1=1 in WHERE clause will be used in dynamic queried. But I have not understand how this will work.
Can any one have any idea?




Responses

Posted by: A2H on: 3/26/2014 [Member] [MVP] Silver | Points: 50

Up
0
Down

Resolved
Hi Alle Mahesh,

With all due respect, I have to disagree with you on this point that “1=1 will prevent the Sql Injection Attacks”

AFAIK this statement (1=1) will in fact cause SQL Injection attacks. Reason behind this is 1=1 combined with an OR like this ‘OR 1=1’ will always make your SQL query execute fine even though one of the parameters are wrong.

Ex:
Let’s take a sample table namely “tableEmployee”. It has columns like

EmployeeID,EmployeeName,EmployeeDesignation,EmployeeAddress

To get value from this table we can use a normal sql query like given below
Select * from tableEmployee Where EmployeeID  =  1

Above will query will return all the records related to Employee with ID 1.

Suppose if an anonymous person trying to steal the information from website.
Obviously he don’t know the EmployeeID, but he can pass the input data like this ‘ ’ OR 1=1 which in turn form the query like given below
Select * from tableEmployee Where EmployeeID  =  '' OR 1=1

And this will return all the records because 1=1 is always true.

Working Sample Demo
http://sqlfiddle.com/#!3/72166/3

You can check the below links for more details
http://msdn.microsoft.com/en-us/magazine/cc163917.aspx
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3866756/10-Ways-to-Prevent-or-Mitigate-SQL-Injection-Attacks.htm
http://security.stackexchange.com/questions/8761/sql-injection-with-and-1-1

Thanks,
A2H
My Blog

Allemahesh, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Allemahesh on: 3/27/2014 [Member] [MVP] Silver | Points: 25

Up
0
Down
Grate. Thank you for your replay.

Allemahesh, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: A2H on: 3/27/2014 [Member] [MVP] Silver | Points: 25

Up
0
Down
Glad to be of help

Thanks,
A2H
My Blog

Allemahesh, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response