মঙ্গলবার, ২১ জুন, ২০১১

SQL injection

SQL Basic Concept

SQL stands for Structured Query Language
Allows us to access a database
SQL can:
Data Manipulate Language (DML)

execute query against a database
retrieve data from a database
insert record in database
delete record from database
update record in database

Data Defination Language(DDL)

Create Table
Alter Table
Drop Table

SQL Injection – Basic Concepts

A method to attack database bypassing firewalls. In this method Parameters transmitted to te database via web applications are modified so that the executable SQL request changes.

How SQL Injection Work?

How common is it?

It is probably the most common Website vulnerability today.
It is flow in “Web application” development it is not a DB or web server problem. But most programmers are still not aware of this problem

There are two type of injections

1. SQL Injection into database a string parameter
example: ‘or 1=1 --
Query: SELECT * FROM t_name WHERE name='' OR 1=1 OR 'S'='' AND pass=''

2. SQL injection into database a numeric parameter
example: Pass = 1 or 1=1 #
Pin = 1111

3. SQL injection into database a date parameter
example: ‘0:0:10’ time delay

SQL injection characters
all special character

How to protect SQL injection

1. Using parameter based SQL Query in the database

2. Using Stored Procedure

3. Finding out user privilege

4. Don’t user default administrator accounts like sa,system,sys,admin,root



কোন মন্তব্য নেই:

একটি মন্তব্য পোস্ট করুন