If the attacker however tries the username ‘admin x’ the application will search for it in the database and will not find it, because it is impossible to find a username with a length of 17 in a database field that has a 16 character limit. The application will accept the new username and insert it into the database. However the username column is to short for the full name and therefore it is truncated and ‘admin ‘ is inserted into the database.
M. Schindler, and D. Vrandecic. Proceedings of the WebSci'09: Society On-Line, Web Science Overlay Journal, (March 2009)http://journal.webscience.org/213/1/websci09_submission_120.pdf.
T. Malone, R. Laubacher, and C. Dellarocas. Research Paper, No. 4732-09. MIT, Sloan School of Management, Massachusetts Institute of Technology, Cambridge, MA, USA, (February 2009)