So i was busy playing around with the python module MySQLdb and looking
at sql injection.
import MySQLdb def hack(name): db=MySQLdb.connect('xxx','xxx','xxx','xxx') cursor=db.cursor() sql="SELECT * FROM PLAYERS WHERE NAME = %s" %(name) print sql cursor.execute(sql) print cursor.fetchall()
Hack("'pete' OR '1'='1'")
SELECT * FROM PLAYERS WHERE NAME = 'pete' OR '1'='1'
and the entire database of players showed up
but when i entered '%s' in the sql statement
SELECT * FROM PLAYERS WHERE NAME = ''pete' OR '1'='1''
with an error message.
So just to ask, adding '' to %s treats the entire user input as a string and not a sql query?