Uploaded bySongchaiDuangpan
PPTX, PDF570 views

SQL injection prevention techniques

This document discusses SQL injection and techniques to prevent it. SQL injection occurs when malicious SQL statements are inserted into an entry field to exploit vulnerabilities in the underlying database. Attackers can use SQL injection to bypass login screens or retrieve sensitive data. To prevent SQL injection, developers should escape special characters in user input before submitting queries, use prepared statements with bound parameters, and validate and sanitize all input. Input escaping involves using database-specific escape functions like mysql_real_escape_string() to avoid unintended SQL commands. Proper input validation and escaping helps prevent SQL injection attacks.

Embed presentation

Downloaded 14 times
SQL injection prevention techniques EGCO 627: Web Penetration Testing Mahidol University
What is SQL injection? An SQL injection is a technique that attackers apply to insert SQL query into input fields to then be processed by the underlying SQL database. These weaknesses are then able to be abused when entry forms allow user-generated SQL statements to query the database directly. “OR 1=1”
What is SQL injection? (Cont.) To give you a typical scenario, take a typical login form consisting of a user/email field and a password field. After the login info is submitted, it is combined with an SQL query on your web server. In PHP, the command is written in the following way:
What is SQL injection? (Cont.) It is sent to the server to verify if it was given a valid username with a corresponding password. A username “admin” with the “admin1234” password would result in this command:
What is SQL injection? (Cont.) It will then return user data that was entered in the password field. This move could allow the login screen to be bypassed. An attacker can also go further by adding another select condition, ‘OR 1=1’, that will result in the following query:
What is SQL injection? (Cont.) พิสูจน์ตัวตนปกติ พิสูจน์ตัวตนSQLi
SQL Injection - Information Gathering (Cont.) So I browsed it and I could see this:
SQL Injection - burp suite scan
SQL Injection Authentication Bypass Cheat Sheet or 1=1 or 1=1-- or 1=1# or 1=1/* ' or'1'='1 admin' -- admin' # admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
How to prevent SQL injection attacks SQL injections are one of the most utilized web attack vectors, used with the goal of retrieving sensitive data from organizations. When you hear about stolen credit cards or password lists, they often happen through SQL injection vulnerabilities. Fortunately, there are ways to protect your website from SQL injection attacks.
SQL injection preventaion techniques Escaping Always use character-escaping functions for user-supplied input provided by each database management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL statement provided by the developer.
SQL injection preventaion techniques (Cont.) For example, use the mysql_real_escape_string() in PHP to avoid characters that could lead to an unintended SQL command. A modified version for the login bypass scenario would look like the following:
SQL injection preventaion techniques (Cont.) Previously, your code would be vulnerable to adding an escape character () in front of the single quotes. However, having this small alteration will protect against an illegitimate user and mitigate SQL injection.
SQL injection prevention techniques (Cont.) input user มาสร้าง query แล้วยิงลง database ตรงๆ โดยไม่มี escape ใดๆ
SQL injection prevention techniques (Cont.) Escape user input
DEMO
Referent • https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection- attacks/ • https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Present BY: • Songchai Duangpan 6136896 • Phattarapon Maprasert 6136187

More Related Content

PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPTX
Sql injection
byZidh
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPTX
Sql injection
byHemendra Kumar
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
How to identify and prevent SQL injection
byEguardian Global Services
 
Sql injection - security testing
byNapendra Singh
 
A Brief Introduction in SQL Injection
bySina Manavi
 
Sql injection
byZidh
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Sql injection
byHemendra Kumar
 
Sql injections - with example
byPrateek Chauhan
 

What's hot

PPTX
Ppt on sql injection
byashish20012
 
PPTX
SQL INJECTION
byMentorcs
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
seminar report on Sql injection
byJawhar Ali
 
PPT
Sql injection
byNitish Kumar
 
PPT
Sql injection
byPallavi Biswas
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
Sql injection
byNuruzzaman Milon
 
PPTX
SQL INJECTION
byAnoop T
 
PPT
SQL Injection
byAdhoura Academy
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
Sqlmap
byRushikesh Kulkarni
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Web application attacks
byhruth
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
Ppt on sql injection
byashish20012
 
SQL INJECTION
byMentorcs
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Sql Injection attacks and prevention
byhelloanand
 
seminar report on Sql injection
byJawhar Ali
 
Sql injection
byNitish Kumar
 
Sql injection
byPallavi Biswas
 
Sql injection
byNikunj Dhameliya
 
Sql injection
byNuruzzaman Milon
 
SQL INJECTION
byAnoop T
 
SQL Injection
byAdhoura Academy
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Sqlmap
byRushikesh Kulkarni
 
Sql injection in cybersecurity
bySanad Bhowmik
 
Secure code practices
byHina Rawal
 
Web application attacks
byhruth
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Sql injection attack
byRajKumar Rampelli
 
Api security-testing
byn|u - The Open Security Community
 
WTF is Penetration Testing v.2
byScott Sutherland
 

Similar to SQL injection prevention techniques

PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PPTX
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
PPTX
Sql Injection
bypenetration Tester
 
PPTX
Sql injection
byThe Avi Sharma
 
PPTX
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
byBoston Institute of Analytics
 
PDF
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
PDF
Prevention of SQL injection in E- Commerce
byijceronline
 
PDF
Sql injection
bySafwan Hashmi
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PPTX
SQL injection implementation and prevention
byRejaul Islam Royel
 
PPTX
Hacking Techniques
byIshaq Mohammed
 
PDF
Chapter 5 - SQL-Injection-NK.pdf
byWaad Waad
 
PPTX
Intro to SQL Injection
byhon1nbo
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
ODP
Sql injection presentation
byZara Joe
 
PDF
Sql
byIJASCSE
 
PDF
Ijcet 06 10_005
byIAEME Publication
 
PPTX
SQL INJECTION ATTACKS.pptx
byREMEGIUSPRAVEENSAHAY
 
PDF
My app is secure... I think
byWim Godden
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
Sql Injection
bypenetration Tester
 
Sql injection
byThe Avi Sharma
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
byBoston Institute of Analytics
 
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
Prevention of SQL injection in E- Commerce
byijceronline
 
Sql injection
bySafwan Hashmi
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
Understanding and preventing sql injection attacks
byKevin Kline
 
SQL injection implementation and prevention
byRejaul Islam Royel
 
Hacking Techniques
byIshaq Mohammed
 
Chapter 5 - SQL-Injection-NK.pdf
byWaad Waad
 
Intro to SQL Injection
byhon1nbo
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
Sql injection presentation
byZara Joe
 
Sql
byIJASCSE
 
Ijcet 06 10_005
byIAEME Publication
 
SQL INJECTION ATTACKS.pptx
byREMEGIUSPRAVEENSAHAY
 
My app is secure... I think
byWim Godden
 

Recently uploaded

PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PDF
The voice of the rain poem class 11th.pdf
byReeta Baral
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PPTX
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
PPTX
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
PPTX
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
PPTX
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PDF
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
PPTX
Steve Hale - Developing Elite Young Goalkeepers 2024.pptx
bypjmfd
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
PPTX
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PPTX
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
The voice of the rain poem class 11th.pdf
byReeta Baral
 
Analyzing the data of your initial survey
byThelma Villaflores
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
Steve Hale - Developing Elite Young Goalkeepers 2024.pptx
bypjmfd
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 

SQL injection prevention techniques

  • 1.
    SQL injection prevention techniques EGCO627: Web Penetration Testing Mahidol University
  • 2.
    What is SQLinjection? An SQL injection is a technique that attackers apply to insert SQL query into input fields to then be processed by the underlying SQL database. These weaknesses are then able to be abused when entry forms allow user-generated SQL statements to query the database directly. “OR 1=1”
  • 3.
    What is SQLinjection? (Cont.) To give you a typical scenario, take a typical login form consisting of a user/email field and a password field. After the login info is submitted, it is combined with an SQL query on your web server. In PHP, the command is written in the following way:
  • 4.
    What is SQLinjection? (Cont.) It is sent to the server to verify if it was given a valid username with a corresponding password. A username “admin” with the “admin1234” password would result in this command:
  • 5.
    What is SQLinjection? (Cont.) It will then return user data that was entered in the password field. This move could allow the login screen to be bypassed. An attacker can also go further by adding another select condition, ‘OR 1=1’, that will result in the following query:
  • 6.
    What is SQLinjection? (Cont.) พิสูจน์ตัวตนปกติ พิสูจน์ตัวตนSQLi
  • 7.
    SQL Injection -Information Gathering (Cont.) So I browsed it and I could see this:
  • 8.
    SQL Injection -burp suite scan
  • 9.
    SQL Injection AuthenticationBypass Cheat Sheet or 1=1 or 1=1-- or 1=1# or 1=1/* ' or'1'='1 admin' -- admin' # admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
  • 10.
    How to preventSQL injection attacks SQL injections are one of the most utilized web attack vectors, used with the goal of retrieving sensitive data from organizations. When you hear about stolen credit cards or password lists, they often happen through SQL injection vulnerabilities. Fortunately, there are ways to protect your website from SQL injection attacks.
  • 11.
    SQL injection preventaiontechniques Escaping Always use character-escaping functions for user-supplied input provided by each database management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL statement provided by the developer.
  • 12.
    SQL injection preventaiontechniques (Cont.) For example, use the mysql_real_escape_string() in PHP to avoid characters that could lead to an unintended SQL command. A modified version for the login bypass scenario would look like the following:
  • 13.
    SQL injection preventaiontechniques (Cont.) Previously, your code would be vulnerable to adding an escape character () in front of the single quotes. However, having this small alteration will protect against an illegitimate user and mitigate SQL injection.
  • 14.
    SQL injection preventiontechniques (Cont.) input user มาสร้าง query แล้วยิงลง database ตรงๆ โดยไม่มี escape ใดๆ
  • 15.
    SQL injection preventiontechniques (Cont.) Escape user input
  • 16.
  • 17.
  • 18.
    Present BY: • SongchaiDuangpan 6136896 • Phattarapon Maprasert 6136187