It is a way of hacking on a database driven Web site in which the hacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet,bypassing the firewall.
SQL injection hackers are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.
SQL injection attacks typically are easy to avoid by ensuring that a system has strong input validation.
Example:
This is your query when the user clicks on the Login button ->
Instead use Stored Procedures and Implement Layers such as Data Access Layer and Business Logic Layer, this would protected you against the SQL Injection.
SQL injection hackers are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.
SQL injection attacks typically are easy to avoid by ensuring that a system has strong input validation.
Example:
This is your query when the user clicks on the Login button ->
Select [UserName], [Password] From Users Where UserID = 1;
Select [UserName], [Password] From Users Where UserID = 1;
Drop Table Users;Instead use Stored Procedures and Implement Layers such as Data Access Layer and Business Logic Layer, this would protected you against the SQL Injection.
Source: https://www.nilebits.com/blog/2008/11/sql-injection/
ma shaa Allah, jazakum Allahu khayran :) loved the post, simple enough.
ReplyDeleteMohammed Shehata.
Thanks Amr
ReplyDeleteif I insist to use simple queries , is there a work around to not be injected ?
ReplyDeleteNice post
ReplyDeletejazak allah khayran
ReplyDeletenice post
ReplyDeleteThere is a way to use direct sql commands withour using stored procedures...
ReplyDeleteif you are using asp.net, wrap your query variable in sqlparameter...
and if you are using php, wrap your query variable in function mysql_escape_string
This simply converts harmful chars to unharmful chars..