SQL Injection

What is SQL injection?

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.

How Haker inject script?

Hacker will pass SQL value with the Data and it will execute, even parametrized data can be manipulated by a skilled and determined attacker.SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and execute.

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from
Table1 where ShipCity = '" + ShipCity + "'";

The user is prompted to enter the name of a city. If she enters Redmond, the query assembled by the script looks similar to the following:

SELECT * FROM Table1 WHERE ShipCity = 'Redmond'

However, assume that the user enters the following:

Redmond'; drop table OrdersTable--

In this case, the following query is assembled by the script:

SELECT * FROM Table1 WHERE ShipCity = 'Redmond';drop table Table1 --'

When you are concatenating values of type sysname, you should use temporary variables large enough to hold the maximum 128 characters per value. If possible, call QUOTENAME() directly inside the dynamic Transact-SQL. Otherwise, you can calculate the required buffer size as explained in the previous section.

Advertisements