Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SQL injection

 
Varun Annand
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have made a sample website using struts 1 to try SQL injection.
I have used t1 as table name with fields username and password.
I have used OracleXE as database server and Tomcat as web server.
I have tried to use all oracle commands provided on various websites but they don't seem to work for me.
This is happening despite the fact that I know the exact table name and exact field names.

Can someone provide me with code which I can use to test SQL injection.
I have used no security at all.


Regards,
Varun Anand
 
Abhi Rai
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey ,

Better google "sql injection" you'll find a tonne a stuff , try http://en.wikipedia.org/wiki/SQL_injection

A summary of the same.

Lets assume that there is a hypothetical query :

This query takes in the value of username dynamically .
The user enters the username via HTML input tag & you may retrieve the parameter in HttpRequest.
We use our above query to match the username for any user.

Now if the user enters value "jack" in the input tag , the query becomes :

SELECT * FROM users WHERE name = 'jack';

Now instead of 'jack' the user enters value "jack or '1'='1'"

The corresponding query becomes

SELECT * FROM users WHERE name = 'jack' or '1'='1';

The latter '1'='1' being always true returns details for all the users.

That is what SQL injection does.



 
Varun Annand
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Abhi Rai wrote:Hey ,


SELECT * FROM users WHERE name = 'jack';

Now instead of 'jack' the user enters value "jack or '1'='1'"

The corresponding query becomes

SELECT * FROM users WHERE name = 'jack' or '1'='1';

The latter '1'='1' being always true returns details for all the users.

That is what SQL injection does.




I tried this but nothing happened. My simple Struts 1 application still asks for password.
Maybe I use PreparedStatement to execute SQL queries. That could have made all the difference.

Thanks,
Varun Anand
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic