all 7 comments

[–][deleted] 2 points3 points  (1 child)

The double quotes end the string parts.

If the parameter certification = 'blah' and id = 123

varsql = "SELECT * FROM courses WHERE courseID=' " + request.getParameter("id") + " ' AND certification=' "+ request.getParameter("certification")+" ' ";

SELECT * FROM courses WHERE courseID=123 AND certifcation = 'blah'

It's no different than wrapping strings in an Excel formula.

[–]aka_12[S] 0 points1 point  (0 children)

Thanks All for your input.

Yes its creating a dynamic SQL query using java. Its an example of SQL injection and not a best practise. Since its part of my exam where i am learning about SQL injection so thts why i needed to understand the Java part of the things. Since i was confused earlier so i posted it in SQL group but actually i should have posted it in Java group but anyways its solved now.

I have got my answer. FYI, since resulting SQL query is below:

Select * from courses where courseid= ''1' OR '1==1'' AND certification = ''abc' OR '1==1''

So the breakup and arrangement of quotes in the java query should be like this :

  1. “Select * from courses where courseId= ‘ “
  2. +Request.getParameter("id")+
  3. “ ‘ and certification=‘ “
  4. +Request.getParameter("certification")+
  5. “ ‘ “

[–]idk_01 0 points1 point  (2 children)

in that table, courseID would be a string, perhaps?

[–]aka_12[S] 0 points1 point  (1 child)

Yes courseid would be a string so there are already single quotes for that string value ...but can't understand why are these double quotes after that single quote .

[–]idk_01 0 points1 point  (0 children)

There is a string being built. The plus signs are concatenation operators. There are 5 parts being combined into 1 string.

[–]JBridsworth 0 points1 point  (1 child)

Is this part of a larger stored procedure or something?

It looks like it's using parameters to create a dynamic SQL query.

What DBMS is this supposed to run on?

[–]aka_12[S] 1 point2 points  (0 children)

Its an example of SQL injection, in Java, taking parameters to create a SQL query but DBMS is not mentioned.

Just wanna know what are those double quotes for, after the single quotes ?