SQL Injection is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.This information can be anything like user data , administrator authentication information, company data, customer private details.
A successful attack of SQL injection may result in unauthorized viewing of user list, the deletion of entire tables the attacker have administrator authentication and control to the database.
Code that can be injected by SQL injection
statement = " select * from Student where name = ' " + xyz + " '; "
this SQL statement is used to retrieve the record of student table where name is xyz.
SQL injection can be use like set xyz to following-
' OR ' 1 ' = ' 1 '
or using comments to rest of the query
' OR ' 1 ' = ' 1 ' --
' OR ' 1 ' = ' 1 '({
' OR ' 1 ' = ' 1 ' /*
Ex. select * from Student where name = ' OR ' 1 ' = ' 1 ';
No comments:
Post a Comment