Here is certain expert's code:
In this example, at first line 34 and 35 doesn't exist. So, it have one bug as described here:
Set id and password as:
i)' OR '1'='1
ii)' OR ''='
iii) hi' OR 'x'='x
In php, if you want to verify if user_id and password is correct (notice that this program use user id, instead of username), usually you write query like this
SELECT * FROM user WHERE id = <input_id> AND password = <input_password>
Then, you check if the query returns empty row, then it is invalid user. If the query returns 1 row, then the username and password is correct.
Now, if I want to login as other user (the other user's id is 1 in this case), I will insert 1 in the id column. However, I dont know the password. So, I must find a way to make these part in the query always return true
password = <input_password>
One way to do that is by using
password = 'random_string' OR password != ''. As the password always more than 0 character, the latter logical expression will always return true. So, I want the query to be something like this
SELECT * FROM user WHERE id = 1 AND password = '<random_string>' OR password != ''
Therefore, I will insert
1 in the id, and
test' OR password != ' to make the query like above
This query will never return empty row as long as user_id 1 exists, and you can login as user 1 in the application