I was testing out a stored XSS on a test site I made which is vulnerable so the problem is when I tried executing the usual
It did not work instead. But this particular
I did not understand it at first since I did not included any filtering or sanitizing as the back-end code is entirely vulnerable.
But when I tried to look at the back-end SQL query which stores the XSS code as shown below.
UPDATE users set name = 'XSSINPUT';
UPDATE users set name = '"><script>alert('XSS')</script>';
Where as this server-side code below managed to execute successfully
UPDATE users set name = '"><script>alert("XSS")</script>';
because its in double quotes and does not break the SQL query and successfully allows the DB to execute that SQL query.
So, my question is. Is my understand correct? Feel free to verify my understanding. Thank you!!