Scribd
Upload
16 views1 page

8 - SQL Injection

SQL injection attacks allow attackers to access and extract confidential information from databases by exploiting vulnerabilities in code that uses user-supplied input in SQL statements without sanitization. Attackers can take advantage of places where applications communicate with databases using SQL arguments to gain unauthorized access. Some common SQL injection techniques include using "1=1", which is always true, empty strings "=""", which is always true, and batched SQL statements to perform unauthorized actions. To prevent SQL injection, user-supplied values should be sanitized or SQL parameters should be used.

Uploaded by

Farah Yaqoob
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
16 views1 page

8 - SQL Injection

SQL injection attacks allow attackers to access and extract confidential information from databases by exploiting vulnerabilities in code that uses user-supplied input in SQL statements without sanitization. Attackers can take advantage of places where applications communicate with databases using SQL arguments to gain unauthorized access. Some common SQL injection techniques include using "1=1", which is always true, empty strings "=""", which is always true, and batched SQL statements to perform unauthorized actions. To prevent SQL injection, user-supplied values should be sanitized or SQL parameters should be used.

Uploaded by

Farah Yaqoob
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 1

SQL INJECTION:

-SQL injection attacks, also called SQLi attacks, are a type of vulnerability in
the code of websites and
web apps that allows attackers to hijack back-end processes and access, extract,
and delete confidential
information from your databases.
-SQL statements often use arguments to pass data from users into a secured database
or vice versa. Unless the
values in these user-supplied SQL arguments are secured by sanitizing or prepared
statements, attackers can use
the places where your app communicates with a database with a SQL argument to gain
access to confidential
information and other secured areas.
-----------------------------------------------------------------------------------
---------------------------------
**SQL INJECTION BASED ON 1=1 IS ALWAYS TRUE:

SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;

-The SQL above is valid and will return ALL rows from the "Users" table, since OR
1=1 is always TRUE.
-----------------------------------------------------------------------------------
---------------------------------
**SQL INJECTION BASED ON ""="" IS ALWAYS TRUE:

SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"
Change to:
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""

-The SQL above is valid and will return all rows from the "Users" table, since OR
""="" is always TRUE.
-----------------------------------------------------------------------------------
---------------------------------
**SQL INJECTION BASED ON BATCHED SQL STATEMENTS:
-A batch of SQL statements is a group of two or more SQL statements, separated by
semicolons.
-The SQL statement below will return all rows from the "Users" table, then delete
the "Suppliers" table.

SELECT * FROM Users; DROP TABLE Suppliers


-----------------------------------------------------------------------------------
---------------------------------
PROTECTION:
-To protect a web site from SQL injection, you can use SQL parameters.
-SQL parameters are values that are added to an SQL query at execution time, in a
controlled manner.
-----------------------------------------------------------------------------------
---------------------------------

-----------------------------------------------------------------------------------
---------------------------------

-----------------------------------------------------------------------------------
---------------------------------

-----------------------------------------------------------------------------------
---------------------------------

You might also like