Tags: web 

Rating: 0

# S-Q-L

```
Keith keeps trying to keep his flag safe. This time, he used a database and some PHP.

https://s-q-l.web.chal.hsctf.com/
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-HSCTF6/images/sql-1.png)

This is a simple SQL injection challenge. The username is admin. The injection string is:

```
' or '1'='1
```

In essence, what an SQL injection does is it "breaks" a comparison, injects the boolean OR operator, and then creates a scenario which will always evaluate to true, in essence making the entire comparison evaluate to true.

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-HSCTF6/image/sql-2.png)