...
Because the '1'='1' is automatically true, the password is never validated. Consequently, the attacker is inappropriately authenticated as user Utah without knowledge of user Utah's password.
Compliance with MSC51MSC66-JJG. Store passwords using a hash function requires encrypting the passwords. Unfortunately, many small systems fail to comply with MSC51-J, so the password text added in the query string would match precisely what the user enters. An attacker could supply a password such as
...
This noncompliant code example reads a user name and password from the user and uses them to construct the query string. The password is passed as a char array, and then hashed, to comply with MSC51MSC66-JJG. Store passwords using a hash function and MSC63-JG. Limit the lifetime of sensitive data.
...