(MySQL) Modifying WHERE clauses to bypass authorization

Credit Card Numbers!

SQL is used for many purposes in addition to user authentication, one of which is access control.

If, for example, it has been identified that the user is Masa, and Masa goes to the page "Your Credit Cards" on the online bank, how does the page know how to display Masa's credit cards specifically, and not, for example, the neighboring Veera's, who also has an account in the same bank?

Usually the answer is that the credit cards in the database are linked to a specific user through some kind of ID field, and then the application retrieves only the cards whose identifier (user_id, etc) matches the identifier of the logged-in user to be displayed on the site in its code.

You can try this in the browser. Here is a query that returns all credit cards:

And here is a query that returns only user number 1's credit cards.

But what if the attacker manages to inject SQL into the end of the WHERE clause?

By adding a condition to the end of the WHERE clause that also returns every row where 1 is 1, every row from the database will be returned.

This is the situation in this module's lab. The application allows the user to filter their own credit cards based on the card number, using the LIKE statement.

Can you figure out what you could add inside the LIKE condition in the above query to make the application return all cards? Once you figure it out, open the lab and go to the "Credit Cards" page, and try to get all bank customers' credit cards out.