Questions
Unanswered
Tags
Categories
Users
Ask a Question

Exercise 7 - Question 9

0 votes

For Question 9 in Exercise 7. Can we assume that the attacker is able to manually browse through all the returned rows that are returned by a query, since we only know the format of the table but not how many rows it contains?

For example, if the query is `SELECT * FROM users`, is the attacker able to browse through each row and see the values of the columns `admin` and `password`? (i.e. the returned number of rows is not too large).

Edit: additional follow-up question, can we also assume that `admin` is always present in the `users` table ?

exercises

asked Jun 1, 2025 in ex09 by anonymous
edited Jun 1, 2025

edit history

Your comment on this question:

Your name to display (optional):

Email me at this address if a comment is added after mine:Email me if a comment is added after mine

Privacy: Your email address will only be used for sending these notifications.

Your answer

Your name to display (optional):

Email me at this address if my answer is selected or commented on:Email me if my answer is selected or commented on

Privacy: Your email address will only be used for sending these notifications.

1 Answer

0 votes

1) The information that is visible to the attacker is restricted in each question. You can assume that the response data is not truncated, i.e. there is no limit on the size of the response.

2) You can assume that `admin` is always present in the `users` table.

answered Jun 2, 2025 by heitnico (860 points)

edit history

Your comment on this answer:

Your name to display (optional):

Email me at this address if a comment is added after mine:Email me if a comment is added after mine

Privacy: Your email address will only be used for sending these notifications.

Donut Theme with by Amiya Sahu

Powered by Question2Answer