Course

In this lab, you will explore the impact of different string comparison methods on a web application's security. The application ensures that a username is unique during registration by programmatically comparing it with existing usernames. However, when retrieving user details, the database performs the comparison. By default, MySQL uses a case-insensitive comparison for `VARCHAR` types, treating "admin" and "Admin" as the same value.

This discrepancy allows you to create a user account that is identified as "admin" due to the database's case-insensitive comparison. By registering an account with a variation of "admin" (e.g., "Admin" or "ADMIN"), you can trick the application into logging you in as the administrator, thereby gaining unauthorized access.