Imagine that a site has a form where users enter their username and password. The entered data is sent to the server, and SQL-queries like this one are executed:
SELECT * FROM customers
WHERE username = 'admin' AND password = 'pass'An attacker changed the expected SQL query to the following:
SELECT * FROM customers
WHERE username = 'test' OR 1=1--' AND password = '12345'What could they enter in the field instead of the username to make the request look like this?