How To Recognize SQL Injection Vulnerabilities
From Guidance Share
Jump to navigationJump to search
select id, firstname, lastname from writers
If one provided:
Firstname: evil’ex Lastname: Newman
the query string becomes:
select id, firstname, lastname from authors where forname = ‘evil’ex’ and surname =’newman’
which the database attempts to run as
Incorrect syntax near al’ as the database tried to execute evil.
The above SQL statement could be Coded in Java as:
String firstName = requests.getParameters(“firstName”); String lasttName = requests.getParameters(“firstName”); PreparedStatement writersAdd = conn.prepareStatement(“SELECT id FROM writers WHERE firstname=firstName”);
In which some of the same problems exist.