Comment by wglb
2 months ago
Injections don't always need ''. The statements
1=1
and
1=0
if injected into a query will give different answers if SQLI exists.
There are MANY other tricks that don't involve ''.
Besides, consider the number of valid queries done by the application that involve '*'. You are not going to turn that off.
No comments yet
Contribute on Hacker News ↗