An SQL Injection can destroy your database.
SQL Injection
SQL injection is a technique where malicious/harmful users can inject SQL commands into an SQL statements, via web page input.
Injected SQL commands can alter SQL statement and compromises the security of a web application.
1. SQL Injection Based on 1=1 is Always True.
txtUserId = getRequestString(«UserId»);
txtSQL = «SELECT * FROM Users WHERE UserId = » + txtUserId;
txtUserId = 105 or 1=1;
SELECT * FROM Users WHERE UserId = 105 or 1=1;
2. SQL Injection Based on «»=»» is Always True.
uName = getRequestString(«UserName»);
uPass = getRequestString(«UserPass»);
sql = «SELECT * FROM Users WHERE Name ='» + uName + «‘ AND Pass ='» + uPass + «‘»
SELECT * FROM Users WHERE Name =»» or «»=»» AND Pass =»» or «»=»»
The result SQL is valid. It will return all rows from the table Users, since WHERE «»=»» is…
Ver la entrada original 41 palabras más
rubenlacasa.es 