0

Hey Guys,
I've heard that SQL Injection is one of the most common tool that the hackers use to hack a web application. Can anyone please give me a brief overview of what SQL Injection is or any webpages that I can refer to.
Thanks

4
Contributors
6
Replies
7
Views
8 Years
Discussion Span
Last Post by Shanti C
0

SQL injection is an attack on the database. Basically, injectors take an educated guess about your query design and try to manipulate it. Let's take a look at the following login:

$query = "SELECT * FROM customers WHERE username = '$name' and password = '$password'";

$name and $password come from a form using input type='text'. Thus, anything can be typed into these fields. So, the injector types in ' OR 1' for each field. Let's substitute the variables and actually take a look at what gets sent to MySQL:

$query = "SELECT * FROM customers WHERE username = '' OR 1'' and password = '' OR 1''";

Adding ' OR 1' to the variable will a.) keep the query from failing due to parse errors and b.)make the query default to true, giving the user access to anything in the db that he/she is capable of getting to.

0

Does the injector type in the URL or hacks into the coding????
Please give some resources on the net.
Thanx

0

This is done through URL as intruder firstly examine URL string that is send to server and if he sees any possibility of vulnerability he will try to modify this string and submit

0

Is there any method by which SQL Injection can be stopped or any software available???

0

Depends on the technology used. I think that Java and its PrepareStatements is something that you can not beat, with PHP you need to do lot of checking and set up many rules to prevent injections. I expect that Microsoft web pages build with C# or VB are reasonably secure dunno about plain ASP, I never worked with it.

0

with PHP you need to do lot of checking and set up many rules to prevent injections.

Need more information on this.....

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.