An SQL injection attack exploits vulnerabilities in a web server database that allow the attacker to gain access to the database and read, modify, or delete
information.
A simple example of a SQL injection attack is to use the single quotation mark as
part of an input value to a Web page. These values can be inserted into a login as
follows:
o Login: admin’--
o Login: admin'#
Database Server ignores everything after "--" or "#" because these characters are
the single line comment sequence. They are needed for inputs and queries to
terminate without an error.
Another example of a SQL injection attack is making the condition true by giving
the identical value to a web page.
These values can be inserted into a login as follows:
o Login: 1' or '1'='1 and Password= 1' or '1'='1
o Login: 1' or '1'='1';--
When the Username argument is evaluated, ‘1’=’1’ will assess to TRUE, and an
authentic
username will be returned.
No comments:
Post a Comment