SQL Injection

By | 06/04/2014

Common injection strings

‘ or ‘1’ = ‘1

When to attack

  • Forms
  • POST command send
  • Information from the DB is shown

Methods to avoid injections

  • Parameterized queries
  • Stored Pocedures
  • Escape all user input

OWASP SQL injection prevention cheat sheet

Blind SQL

Based on true or false conditions. If a SQL injection can be done without obtaining the database information, but it gives a different response depending on false or true of the statement, a brute force query attack can be done to obtain the database information.





Leave a Reply