HACK THIS WAY

Your Guide to successful Hacking

  • Meta

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

  • Archives

«
»

More on SQL injection

Posted by hackthisway on November 12, 2009

In SQL databases,

anything following the quote ( ‘ ) is considered code.  So, If we want to check if a website is vulnerable to SQL injection, we just need to type a single quote in the URL. The website may vomit an error saying argument is invalid SQL result resource or there is an error in your SQL syntax etc… This would prove the website is SQL injectable.

Besides the quote character, other characters can also be used to check SQL injection. Like, In case of Oracle, blank space, comma or double quote characters.

Preventing SQL injection

To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.

Source: wikipedia

How To: Protect From SQL Injection in ASP.NET

http://msdn.microsoft.com/en-us/library/ms998271.aspx

protect mysql db :

http://digg.com/linux_unix/How_To_Protect_MySQL_Database_From_SQL_Injection_Attacks

protect Oracle db:

http://www.securityfocus.com/infocus/1646


This entry was posted on November 12, 2009 at 6:47 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»