What’s the SQL Injection.?

ahsan's weblogs

An SQL Injection can destroy your database.

SQL Injection

SQL injection is a technique where malicious/harmful users can inject SQL commands into an SQL statements, via web page input.
Injected SQL commands can alter SQL statement and compromises the security of a web application.

1. SQL Injection Based on 1=1 is Always True.

txtUserId = getRequestString(“UserId”);
txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;
txtUserId = 105 or 1=1;
SELECT * FROM Users WHERE UserId = 105 or 1=1;

2. SQL Injection Based on “”=”” is Always True.

uName = getRequestString(“UserName”);
uPass = getRequestString(“UserPass”);
sql = “SELECT * FROM Users WHERE Name ='” + uName + “‘ AND Pass ='” + uPass + “‘”

SELECT * FROM Users WHERE Name =”” or “”=”” AND Pass =”” or “”=””
The result SQL is valid. It will return all rows from the table Users, since WHERE “”=”” is…

Ver la entrada original 41 palabras más

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s