What’s the SQL Injection.?

ahsan's weblogs

An SQL Injection can destroy your database.

SQL Injection

SQL injection is a technique where malicious/harmful users can inject SQL commands into an SQL statements, via web page input.
Injected SQL commands can alter SQL statement and compromises the security of a web application.

1. SQL Injection Based on 1=1 is Always True.

txtUserId = getRequestString(«UserId»);
txtSQL = «SELECT * FROM Users WHERE UserId = » + txtUserId;
txtUserId = 105 or 1=1;
SELECT * FROM Users WHERE UserId = 105 or 1=1;

2. SQL Injection Based on «»=»» is Always True.

uName = getRequestString(«UserName»);
uPass = getRequestString(«UserPass»);
sql = «SELECT * FROM Users WHERE Name ='» + uName + «‘ AND Pass ='» + uPass + «‘»

SELECT * FROM Users WHERE Name =»» or «»=»» AND Pass =»» or «»=»»
The result SQL is valid. It will return all rows from the table Users, since WHERE «»=»» is…

Ver la entrada original 41 palabras más

Deja una respuesta

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Salir /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Salir /  Cambiar )

Conectando a %s