basic 8

ok, i made the error so i know the table names… but my injection doesn't work

this is it:

SELECT password FROM family_db WHERE username='Drake'

Try making your injection simpler, more broad.

ok this is what i've got:

sql_query= SELECT * FROM family_db WHERE username='Drake'

its still not working

OK, what you have, in my opinion should work (I've PMed Grind about it), but if you make it less specific of a query, it'll work. Lemme know if you need more help

yeah, i've done the same thing

I'm not sure how you would be able to make it less specific a query. Everything seems to be needed, but then again, i wasn't able to complete this level, so some of it probably isn't needed.

hint: make it as general as possible

Found at how to REALLY do it

I know that in SQL is missin ' so I can add a variable to sql (probably AND Username='Drake'), but what can I do with password= The variable can't be set to anything because for this LIKE is needed. Any hit?

Hmm…well, the best hint i can give is, when you make a query, look at the source for hidden tags. Then, think about what that could mean. Not all injections have to be done through forms and text boxes.

If you have other questions and know what i'm talking about, don't give it away, just say you're query problems.

I cant inject it in the address bar and im using SELECT * FROM family_db WHERE Username='Drake' then im stuck anyhelp?

you can inject SQL at addressbar if you have a bug infont of it, read sourcecode

with the sql injection in the address bar can you have spaces in it. because i always though there could be none.