FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
Sql injection
1. Pre-defined SQL Statement
SELECT * FROM
tblBankRecords
WHERE userid = ‘" + userid + "’ ";
Malicious SQL
Code
userid=‘ OR ‘1’=‘1
User injects
malicious
SQL code
Application
constructs
SQL statement
Database executes
injected SQL
statement
Altered DB results
returned to user
SQL Injection: Original Sin
Malicious SQL Code
userid=JShmo
User input
2. Injected SQL Statement
SELECT * FROM tblBankRecords
WHERE userid = ‘’ OR ‘1’=‘1’
User injects
malicious
SQL code
Application
constructs
SQL statement
Database executes
injected SQL
statement
Altered DB results
returned to user
SQL Injection: Garbage In Garbage Out
3. Injected SQL Statement
SELECT * FROM tblBankRecords
WHERE userid = ‘’ OR ‘1’=‘1’
Manipulated
Database
Results
1==========
2==========
3==========
User injects
malicious
SQL code
Application
constructs
SQL statement
Database executes
injected SQL
statement
Altered DB results
returned to user
SQL Injection: execution