How To Recognize SQL Injection Vulnerabilities

From Guidance Share
Revision as of 07:08, 6 March 2007 by Admin (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search


select id, firstname, lastname from writers

If one provided:

Firstname: evil’ex
Lastname: Newman

the query string becomes:

select id, firstname, lastname from authors where forname = ‘evil’ex’ and surname =’newman’

which the database attempts to run as

Incorrect syntax near al’ as the database tried to execute evil. 

The above SQL statement could be Coded in Java as:

String firstName = requests.getParameters(“firstName”);
String lasttName = requests.getParameters(“firstName”);
PreparedStatement writersAdd = conn.prepareStatement(“SELECT id FROM writers WHERE firstname=firstName”); 

In which some of the same problems exist.