SQL Injection Problem, Example and Solution for Preventing:
What is SQL Injection Problem? SQL injection is a strategy for attacking databases.
Example of SQL Injection Problem:
An ASP page asks the user for a name and a password, and then sends the following string to the database:
SELECT FROM users WHERE username = 'whatever' AND password = 'mypassword'
It seems safe, but it isn't. A user might enter something like this as her user name:
' OR 1>0 --
When this is plugged into the SQL statement, the result looks like this:
SELECT FROM users WHERE username = '' OR 1>0 -- AND password = ''
This injection comments out the password portion of the statement. It results in a list of all the names in the users table, so any user could get into your system.
How to Prevent SQL Injection Problem.
There are numerous ways a malicious user might penetrate your system using SQL injection and various defenses, but the simplest approach is to avoid dynamic SQL. Instead, use stored procedures everywhere.
No comments:
Post a Comment