SQL INJECTION is user(hacker or attacker) get information or all data or simplly delete all data
$a = "SELECT * FROM users WHERE name = '" + USERID + "';"
This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "USERID" variable is assign some value by malicious user, the SQL statement may get all data . For example,
' OR '1'='1 use this in $a above statement
above you can write like this
' OR '1'='1' --
' OR '1'='1' {
' OR '1'='1' /*
if hacker use this as below
SELECT * FROM users WHERE name = '' OR '1'='1';
SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
from above get all information instead of checking to specific id
This input renders the final SQL statement as follows and specified:
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
suppose above example will simply & delete from table.
$a = "SELECT * FROM users WHERE name = '" + USERID + "';"
This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "USERID" variable is assign some value by malicious user, the SQL statement may get all data . For example,
' OR '1'='1 use this in $a above statement
above you can write like this
' OR '1'='1' --
' OR '1'='1' {
' OR '1'='1' /*
if hacker use this as below
SELECT * FROM users WHERE name = '' OR '1'='1';
SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
from above get all information instead of checking to specific id
This input renders the final SQL statement as follows and specified:
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
suppose above example will simply & delete from table.
THANK YOU FOR THE INFORMATION
ReplyDeletePLEASE VISIT US
Customized Crm Solutions