How To Recognize SQL Injection Vulnerabilities

From Guidance Share
Revision as of 07:08, 6 March 2007 by Admin (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search

In SQL: 

select id, firstname, lastname from writers

If one provided: 

Firstname: evil’ex
Lastname: Newman

the query string becomes: 

select id, firstname, lastname from authors where forname = ‘evil’ex’ and surname =’newman’

which the database attempts to run as 

Incorrect syntax near al’ as the database tried to execute evil.

The above SQL statement could be Coded in Java as: 

String firstName = requests.getParameters(“firstName”);
String lasttName = requests.getParameters(“firstName”);
PreparedStatement writersAdd = conn.prepareStatement(“SELECT id FROM writers WHERE firstname=firstName”);

In which some of the same problems exist.