SQL Injection

1 - About

When the program create SQL statement with some input, an sql injection attack can modify the SQL behavior by injecting (ie modify it) a piece of SQL in the input.

3 - Example

Below is an example of a SQL statement build with the help of an input.


"SELECT * FROM clients WHERE clientId = " + inputClientId;

if an attack gives as inputClientId, the value 10 or 1=1, the resulting SQL would be


SELECT * FROM clients WHERE clientId = 10 or 1=1;

which returns all clients.

4 - Prevent

To prevent SQL injection, you pass the input as parameters to the SQL. More … See SQL - Parameter (Bind | Substitution) (Marker | Variable)

5 - Tool

  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Powered by ComboStrap