• Kerb@discuss.tchncs.de
    link
    fedilink
    arrow-up
    38
    ·
    edit-2
    9 months ago

    its an sql injection attack.
    its rather unlikely that it works in a modern app.

    assuming this would work,
    it injects a command in the sql database.

    it is assumed that the app runs a sql querry with the input field as a parameter e.g.
    INSERT INTO "bills" (item, ammount, tip) VALUES ("steak", "20,00 $", "content of the custom tip goes here");

    the semicolon indicates the end of the querry,
    so the the text would cause the app to run an unfinished querry, and then start a new querry that messes up the content of the bills table.