Saturday, October 10, 2009

Sql Injection

Author at
Hello friends,

After a long time again now i am going to write something in my blog. Today i am
going to write about Sql injection.
So i will cover this many steps in my this topic
  1. Create fear
  2. what is Sql Injection
  3. Description about Sql Injection


So very quickly we are on the way......................


Create Fear
Thought it seems very simple thing after implementation
but if not implemented then can be very serious problem for our webapplication
or website.
it is very simple and cheap way of hack or access any database.
using sql injection not only hack or access........ modification is very easy to
do in our database.
if I have chance to touch an apple then for whom will I wait ? I will immediately
eat it.
it's like that.


what is Sql Injection
fine.... I tried to create fear so that we try
to achieve it and believe me it's not at all difficult.
Definition: SQL injection is a code injection
technique that exploits a security vulnerability occurring in the database layer
of an application. The vulnerability is present when user input is either incorrectly
filtered for string literal escape characters embedded in SQL statements or user
input is not Bly typed and thereby unexpectedly executed. It is an instance of a
more general class of vulnerabilities that can occur whenever one programming or
scripting language is embedded inside another. SQL injection attacks are also known
as SQL insertion attacks

our any Select query is having this kind of format...
"select * from TableTemp where Id="&  txtId.text
Now in this case... supposed in my Textbox txtId, i am writing 2;delete from TableTemp
Then guess wht ? your Table TableTemp is deleted ....

now this is really very silly and worst kind of coding....

even this is possible in any kind of Query if SQl injection is not handled while coding...

if in Our select query the value in Where condition is type of String in that case we have to care of Single Quote (')...
i mean "select * from table Temp where name = '"& txtName.text &"'"

in this case
the value in textbox would be ... xyz';delete from Tabletemp;select * from sys.objects where 1='1

Description about Sql Injection
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)