GIAC Certified Incident Handler (GCIH) — Question 163

Suppose a web application builds the SQL command "select PhoneNumber from contacts where Company = '[value]';". What would the result likely be if an attacker submitted the value "GIAC'; drop table contacts; --" to the database?

Answer options

• A. Nothing. The 'contacts;--' portion is syntactically incorrect.
• B. The database would attempt to drop the PhoneNumber from the 'GIAC' table.
• C. The 'contacts' table would be deleted from the database.
• D. The database would drop all records containing 'GIAC' from the 'contacts' table.

Correct answer: B

Explanation

The correct answer is B because the SQL injection attempts to drop the 'contacts' table but is structured to first select from a non-existent 'GIAC' table. Options A and D are incorrect since they misinterpret the SQL command's effect, and option C is incorrect as the SQL injection does not execute in that manner.