Exam 312-50v10 topic 1 question 3 discussion

The correct answer is A. End of Line Comment. The -- sequence is used to comment out the rest of the SQL query, potentially altering the intended query execution.

The correct Answer is "A. End of Line Comment" by official EC-Council documentation. End of Line Comment After injecting the code into a specific field, legitimate code that follows is nullified using end of line comments SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --';

Its A: In CEHv11 pg 2032 - End of line Comment. After injecting the code into a specific field, legitimate code that follows is nullified using end of the line.

Answer is A: End of Line Comment: After injecting the code into a specific field, legitimate code that follows is nullified using end of line comments SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --';

Answer is C. EC Council CEHv11 Page 2017 Illegal/Logically Incorrect Query An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables, and so on. In this SQL injection attack, an attacker intentionally sends an incorrect query to the database to generate an error message that may be useful for performing further attacks. This technique may help an attacker to extract the structure of the underlying database. For example, to find the column name, an attacker may give the following malicious input: Username: 'Bob" The resultant query will be SELECT * FROM Users WHERE UserName = 'Bob"' AND password = After executing the above query, the database may return the following error message: "Incorrect Syntax near 'Bob'. Unclosed quotation mark after the character string '' AND Password='xxx''."

Can it not be C? what does tilde (~) means in the query? is it legal? Tautology definitely not the answer as it requires "OR" logical clause.

A is correct check https://ktflash.gitbooks.io/ceh_v9/content/132_types_of_sql_injection.html End of Line Comment: After injecting code into a particular field, legitimate code that follows if nullified through usage of end of line comments: SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --';

Tautology: Injecting statements that are always true so that queries always return results upon evaluation of a WHERE condition. The answer is Error Based SQL Injection: Tautology . The reason is given below: -Attackers intentionally insert bad input into an application, causing it to throw database errors. -The attacker reads the database-level error messages that result in order to find an SQL injection vulnerability in the application. -Based on this, the attacker then injects SQL queries that are specifically designed to compromise the data security of the application.

i meant to say A is correct :)

End of Line Comment: After injecting code into a particular field, legitimate code that follows if nullified through usage of end of line comments: SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --'; Comments in a line of code are often denoted by (--), are ignored by the query. The database will execute the code until it reaches the commented portion, after which it will ignore the rest of the query. SELECT * FROM members WHERE username = 'admin'--' AND password = 'password' Tautology: Injecting statements that are always true so that queries always return results upon evaluation of a WHERE condition: SELECT * FROM users WHERE name = '' OR '1'='1'; use a conditional OR clause It can be used to bypass user authentication. answer:A

D is correct

End of Line Comment: After injecting code into a particular field, legitimate code that follows if nullified through usage of e nd of line comments: SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --';

A Search from the CEH hand book modue15 you can see that A is correct

The answer is D

If an attacker uses the command SELECT*FROM user WHERE name = "˜x' AND userid IS NULL; --"˜; which type of SQL injection attack is the attacker performing? A. End of Line Comment B. UNION SQL Injection C. Illegal/Logically Incorrect Query D. Tautology Your answer is presently "Wrong" please fix - should be D. Tautology