Easiest Example Of SQL Injection : Just For Beginners

As i worked a lot on SQL  Injection , n concluded that it is a vast technique or methodology or watever..Giving Rise to bore or hacticness....Thats y i m goin here to give a simple n breif overview of how to Intrude a Website With SQL INJECTION Attack.

Here is a sample basic HTML form with two inputs, login and password.


The easiest way for the login.asp to work is by building a database query that looks like this:

FROM login
WHERE username = '$username'
AND password = '$password’

If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x

FROM login
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'

As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause.

The 'x'='x' part guarantees to be true regardless of what the first part contains.

This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

Now this ws how to Make a simple web attack with sql injection....Bt for security Professionals.>> How To Protect it.

So here we go for that as well..

How To prevent SQL Injection attacks?
Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web attacks. Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your databases servers through web applications. Isn’t this what they have been designed to do?

Patching your servers, databases, programming languages and operating systems is critical but will in no way the best way to prevent SQL Injection Attacks.


Post a Comment