0% found this document useful (0 votes)
30 views

SQL Injection Slides

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
30 views

SQL Injection Slides

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

SQL Injection

Dawid Czagan
SECURITY INSTRUCTOR

@dawidczagan
Overview
Understanding SQL Injection

Bypass Password Verification

Unauthorized Access to User’s Account
SELECT * FROM users WHERE email = '[email protected]' and password = 'xyz'

SQL Syntax is Correct / No Access to User’s Account

Understanding SQL Injection

User’s controlled data changes the underlying SQL query


SELECT * FROM users WHERE email = '[email protected]'' and password = 'xyz'

SQL Syntax Error / No Access to User’s Account

Understanding SQL Injection

User’s controlled data changes the underlying SQL query


SELECT * FROM users WHERE email = '[email protected]' -- ' and password = 'xyz'

SELECT * FROM users WHERE email = '[email protected]'

Password Verification Bypassed / Unauthorized Access to User’s Account

Understanding SQL Injection

User’s controlled data changes the underlying SQL query


Demo

SQL Injection
Sanitization (Parameterized Query)

dbQuery("SELECT * FROM users WHERE email = ? and password = ?");

dbBindParameters("ss", $email, $password);

dbStatementExecute();

Fixing the Problem

SQL Injection
Summary SQL Injection

Bypass Password Verification

Sanitization
(Parameterized Query)

You might also like