| Previous | Home | Next |
SQL Injection is can use to prevent the malicious attack by another user to save your data. But it more use is done in the process of exploitation
Injection can be done like while you are entering your email id and password for login, SQL query is inject its SQL commands into its statement. It can alter the SQL statement but provides the security for a web application.
Syntax
SELECT * FROM tablename WHERE Clause INJECTION insertion;
basic SQL Injection Insertion can be done by three ways
| Type | Description |
| 1=1 | Is always True |
| 0=1 | Is always False |
| " " = " " | Is always True |
Example
SELECT * FROM studinfo WHERE 1 = 1 ;
Display all reuslt from the table Studinfo
Example
SELECT * FROM studinfo WHERE fnama='arun' OR 1 = 1 ;
show the result on the basis of condition define fname='arun' and all result also display
Example
SELECT * FROM studinfo WHERE fnama='arun' OR 1 = 0 ;
show the result on the basis of condition define fname='arun' and single result will display whose condition is true.
Example
SELECT * FROM studinfo WHERE fnama='arun' AND 1 = 0 ;
If we can insert AND inplace of OR ,no result will be shown whose command will be given , because no condition will be true.
Example
SELECT * FROM studinfo WHERE fnama='arun' AND 1 = 1 ;
show the result on the basis of condition define fname='arun' and single result will display in which both condition is true.
The injection help in another ways they are used in some login page to check the validations which provides the security for a web application, like syntax is given below
Syntax
uname = getRequestString("Uname");
upass = getRequestString("UPass");
sql = "SELECT * FROM tablename
WHERE Name ='" + uname + "'
AND Pass ='" + upass + "'";
Example
SELECT * FROM studinfo WHERE fname='arun' AND " " = " " AND lname='saxena' and " " = " ";
In this query both the condition needs to be valid to print the info, if one of the condition is false it does not show any result
| Previous | Home | Next |