SQL Injection with Filters
I have a SQLite Query, which is something like:
SELECT id FROM demo WHERE name="insertname".
In this case, double-quotes are disabled, which means that
insertnamecannot contain double-quotes. Is there a way to somehow bypass the double-quote filter?
Some experimenting shows that double quotes signify 2 conditions comparing both against the value of the field named
insertnameand against the value
insertname. So unlike the use of single quotes, manipulating the condition into
WHERE name="name"will yield all rows, potentially allowing to bypass checks such as authentication.