> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/sqli/vulnerability-exploitation/trick-0278.md).

# SQLite Query Injection Via OR/AND Appendage

***

In scenarios where common SQL injection characters like single quotes (`'`) and semicolons (`;`) are filtered, but double quotes (`"`) are permitted, and the backend is SQLite, you can manipulate `WHERE` clauses using boolean conditions and comments.

The application constructs a query like `... WHERE username="OUR_INPUT";`. By providing input that closes the double quote, adds an `OR` condition, and then comments out the remainder of the query, you can bypass the original `WHERE` clause. The `--` sequence is the standard SQL comment marker, causing the database to ignore the rest of the line.

Use input structured like this:

```
" OR (sql_function_or_condition)--
```

For example, to always return results (bypassing a login check), you could use:

```
" OR 1=1--
```

Other variations using double quotes and comments include:

```
" OR "1"="1
```

or

```
" OR "a"="a
```

This input closes the initial `"`, adds the `OR` condition (like `1=1` or `"1"="1"`, which is always true), and the `--` comments out the rest of the original query (e.g., `";`). The resulting interpreted query fragment becomes effectively `... WHERE username="" OR 1=1` (or the equivalent boolean condition).
