SQL Injection

About

When the program create SQL statement with some input, an sql injection attack can modify the SQL behavior by injecting (ie modify it) a piece of SQL in the input.

Example

Below is an example of a SQL statement build with the help of an input.

"SELECT * FROM clients WHERE clientId = " + inputClientId;

if an attack gives as inputClientId, the value 10 or 1=1, the resulting SQL would be

SELECT * FROM clients WHERE clientId = 10 or 1=1;

which returns all clients.

Prevent

To prevent SQL injection, you pass the input as parameters to the SQL. More … See SQL - Parameter (Bind | Substitution) (Marker | Variable)

Tool

  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.





Discover More
Testing Infrastructure
Software Quality - Tools

Security: Sql injection and Cross-site Scripting - Test Reporting (Manual and Automatic with Integration) Java:...
Web Security - Cross-site scripting (XSS)

cross-site scripting (XSS) is a injection security vulnerability that happens when external javascript code is injected in the page via user input. Injected JavaScript can then steal authentication tokens...



Share this page:
Follow us:
Task Runner