I'm fresher for sql injection, i have already worked and having a good knowledge about the MY sql server 2000, 2005, and 2008. Did anybody can able to give me steps and how to work in sql injection, as a part of testing engineer.

Kindly send me the links ASAP,

With Regards,

Where ever your sending your variables from to query your database, add a sql command in there and see if it gets executed. Example, your website has a search box, type an update command into it, or an insert, then look to see if it executed.

A bit of intelligent code is required to be inserted for making an sql injection work.

It cannot be directly obtained by inserting any sql statement inside any text box Fortinbra... :)

And for an intruder who wants to do such injections,first checks that what kind of DB is there at the backend,whether a mysql,oracle,mssql.
Because each are having different techniques to execute a query, and few of them supports execution of batch sql statements,that makes intruder more easy to intrude.

But sqlinjection can work only if some one has used dynamic query to put or check or select data from the database.

For example,using direct textbox fields to compare username and password
A vb code example with simplicity for easiness and better understanding...

dim query as string
query="select username,password from
where username='" & userText.text & "' and passowrd='" & passText.text & "'"

This is an example of dynamic query that lets the intruder to get a chance to intrude.

I have two textboxes and a button for taking username and password with name/ID
userText and passText respectively
How to pass a smart injecting code???

If a user puts anything in the username textbox(xxx) and enters
a code like this in password textbox....

xxx OR 'a'='a

What will this code do is it will change the query's value during runtime as following...

dim query as string
query="select username,password from
where username='xxx' and password='xxx" or 'a'='a'

Now above given code is simple to understand, It entirely changes the query and will definelty return some or all rows from LoginTab even if the username 'xxx' and password 'xxx' does not exist at all. Just because an OR condition is inserted that entirely changes the query here.

Points to remember
1) In mssql,single quote is used to represent texts and char type values, so it can be different in mysql and other relation databases.
2) If client side validation is there like any javascript code to check all the inputs,then also this won't work,but yes ofcourse that javascript can be overcome bysaving the page as HTML and removing all validation and submiting the again.
3 ) It will surely not work if Dyanmic queries are not used,like mentioned above,safer technique to keep the database safe from SQL INJECTION is to pass values as parameters to the queries defined anywhere else.

Hope that it helps a bit to your knowledge...

commented: neatly explained. +8

1.can you able to explain me, how to write a javascript code for client side validation? give me some examples and links to study about it.

2.whether the sql injection query will use in textbox only, (in which box, we giving the input in that place we want to enter the sql injection query?

It will work from a simple text box, if the proper fail safes do not exist in the code connecting the search terms to the database. It just may not be the same type of SQL injection being asked about here.


For simple javascript validation you can check this link where i have posted a correct answer with example .

Go through the link and you will get few ideas about validations,but for sql injection,you should have few more checks.
Like end user should not be allowed to insert single quotes and symbols used in databases,so that intrusion can be restricted. This can be done using simple javascript by checking that whether the textbox input contains any ' or such other characters.

2 ) Yes the sql injection will work in textbox,and any such other controls where the user is allowed to fill his /her own details. Many a times it can also work in Dropdowns if a programmer is careless and uses direct dropdowns selected text as an input for the query.
And yes the textbox or the place where we are asked to input is the place to write the SQL INJECTION query.

:) Hope it will help you...


i got some idea, thank you very much. if any doubts i let you know

Hmmmm Sure,and work it out with such other topics,you will be much clear about all these things then..