hunter2 might or might not be the correct password, the expression '1'='1' is always true and the database will return all rows in the UserList table -- thus allowing the attacker to log in even if they don't have the correct password.

The technique may be extended to allow the attacker to execute multiple statements. For example, if the attacker provided the password hunter2'; DROP TABLE UserList; --, the resulting query would be:

SELECT UserList.UsernameFROM UserListWHERE UserList.Username = 'alice'AND UserList.Password = 'hunter2'; DROP TABLE UserList; --'

1.Previous
3.Next