Now we know that we can put in any code we want and it's going to be executed on the system. So, let's have another look at the statement, which says select * from accounts where username = username, and password = password, which we put in the Password textbox. We will now see whether we can use that to log in without using a password, and we are going to be doing that with the admin. So, username is going to be admin, and we don't know what password is for admin, so we are going to enter any random password, for example, aaa. In the code that we were previously running, we put and 1=1, now instead of and, we are going to say or 1=1. So, once we inject the command, it is going to let us log in without even knowing the password of admin. Our code is going to look as follows:

select * from accounts where username = 'admin' and password='aaa' or 1=1'

When we log in using the admin Username and paste aaa' or 1=1 in the Password textbox, we can see that we logged in successfully and the signature for admin is Monkey!:

So, any time we have an or condition, if the or condition is true, everything is true—that's the way the or statement works.

Bypassing logins can be done in many ways, depending on the code that's written on the page and how we are imagining the code. In a lot of cases, when we put in the single quote, we won't see the error message. 

So, we are going to show another example of bypassing. Instead of injecting the code, the admin parameter is injectable as well, as we saw when we put in the single quote, in exactly the same way as the password parameter, so we can inject code in username as well.

Try to inject something in username; we are going to say username is equal to admin, then we are going to close the quote and add a comment. So, when we run the select * from accounts where username = 'admin'#' and password='aaa' statement, it's going to inject that in username. 

It's going to let me log in without even entering anything in the password field. So, we are going to put Username as admin'#, and then we can put in any Password we want to use. We are just going to put 1 and then log in; we can see we managed to log in as admin:

Again, this is black-box testing, so we don't really see the code. In many cases, we want to play around with it and see how it works, but the main thing we want to test is whether the SQLi exists and we do that using the method from the previous section. So, try single quotes, try the and statement, try a true and statement, such as 1=1, and then a false and statement, such as 1=0 or 2=0, and, if they work as expected, your target has an SQLi and you can start playing around with it.