Sunday 4 August 2013

sql injection

In this case, the developer fails to filter the input for escape characters and He directly pass the input to SQL statement. This leads to vulnerability.

Consider this code:
statement = "SELECT * FROM `users` WHERE `name` = '" + userName + "';"

This code can check the username in datbase. associate degree aggressor will use malicious codes to inject his own question. for eg:

' or 1=1
he can enter the above code instead of the username. So the SQL statement will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1;

He can use the comments to block the rest of the query .
for eg:
' or 1=1 --
so the query will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1 -- ;

Here name=' ' is false. But '1'='1' is true. Here we used OR operator. So it is enough to one condition is true. So this will query bypass the login.

No comments:

Post a Comment