SQL Injection is a technique used to exploit web sites by altering backend SQL statements by manipulating application input. It can happen when any application developer accepts the input of text box in SQL statement as it is.
Here is the example how on can achieve SQL injection.
Suppose a web site has a user authentication form without handling any input. Supplying the input to SQL Query as it is.
A mischievous user knows the user id but don’t know password gives user name and password as below.
User Id = mahmad
Password = abc' OR 'x'='x
So the query by this input will be like given below:
Select *
From UserTable
Where UserId='mahmad'
And Password= 'abs' OR 'x'='x';
This wrong password will work 100% without knowing password and your system is cracked.
How to prevent SQL Injection in this situation?
Solution is simple just replace single quote (') with two single quotes ('').
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment