- Home
- Search
- Settings
- Top Contributors
- Help Center
Answer:
SQL Injection is a form of attack on your SQL server, using the vulnerability of your (usually) HTML form handling of your web-application.
The most common form is to inject additional command into your SQL statement.
Many programmers are not aware of this common issue.
A simple example: you have a HTML form that collect your name.
NAME: [text box] [button GO]
Many programmer, will program in a way that will translate that input to gather information from the SQL server with an SQL statment:
SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name='[name]';
So, the SQLInjector attempt to hijack that by type this into the [text box]:
'; truncate table tblUsers; //
by putting that into the [textbox]; the program will generate this SQL statement:
SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name=' '; truncate table tblUsers; // ';
effectively, when the program execute this statment, the entire tblUser will be deleted!!! This is just a simple example. There are ways to extract the database structure through injection, and by knowing your data structure, have the ability to get user information (ie, password, credit card, etc, etc), and even the SA access; if the sql admin has been slacking ....
Thus, it is extremely important that whoever program your web-application is aware of this. but unfortunately, 90% of web programmers are not aware of this flaw.
SIMPLE SOLUTION:
A very simple solution is that you CLEANSE your data before putting it into an SQL statment, ie in asp:
vsInput = Replace( vsInputbox.text, "'", "''")
this simple statement will effectively stop the use of the ' character;
Alternatively, use parameterized procedure (the best way) but not many ppl does this.
Good luck!
The most common form is to inject additional command into your SQL statement.
Many programmers are not aware of this common issue.
A simple example: you have a HTML form that collect your name.
NAME: [text box] [button GO]
Many programmer, will program in a way that will translate that input to gather information from the SQL server with an SQL statment:
SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name='[name]';
So, the SQLInjector attempt to hijack that by type this into the [text box]:
'; truncate table tblUsers; //
by putting that into the [textbox]; the program will generate this SQL statement:
SELECT vdDateOfBirth, viUserID FROM tblUsers WHERE Name=' '; truncate table tblUsers; // ';
effectively, when the program execute this statment, the entire tblUser will be deleted!!! This is just a simple example. There are ways to extract the database structure through injection, and by knowing your data structure, have the ability to get user information (ie, password, credit card, etc, etc), and even the SA access; if the sql admin has been slacking ....
Thus, it is extremely important that whoever program your web-application is aware of this. but unfortunately, 90% of web programmers are not aware of this flaw.
SIMPLE SOLUTION:
A very simple solution is that you CLEANSE your data before putting it into an SQL statment, ie in asp:
this simple statement will effectively stop the use of the ' character;
Alternatively, use parameterized procedure (the best way) but not many ppl does this.
Good luck!
Contributor:
Fhlee74
Fhlee74
First answer by Fhlee74.
Last edit by Fhlee74.
Contributor trust: 0
[recommend contributor
recommended].
Question popularity:
1
[recommend question].
When super glue was developed?
Answer it!
What is the max number of individual species that an ecosystem can support?
In: Ecosystems
Answer it!
What is minimum age of a US president?
In: US Presidents
Answer it!
» more