Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • SQL Injection

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 368
    Comment on it

    SQL Injection

    Security of any Application plays a major role for any developer. Some of the users try to break the security of any application for their fun, for stealing the data .They use different methods to break the security and SQL Injection is one of the vulnerability .


    In your application, there can be some of the loopholes, nulled script that can cause hacking of your application or website.


    MySQL injection is a technique which is used to attack data-driven applications. Through SQL injection, harmful SQL statements are inserted for execution.

    SQL injection is mostly known as an attack vector for websites and can attack any SQL database.

    SQL injection attacks allow hackers to damage  the existing data, transactions ,destroy the data  and changes the admin of DATABASE.

    How SQL Injection is done by Hacker


    In this section , we will show you a basic example that how hackers do the SQL Injection to hack any application--


    Example

     String query = select username, password from login where username='+request.getParameter("username")+';

    The above example cause the SQL injection. The attacker can pass the username form the textbox like :

        “'abc' or '1'='1”

    the above input will create query like :

     String query = select username, password from login where username='abc' or '1'='1'


    This Injection will get all data from login users table.

    To avoid SQL injection attack Developer should =>

       1- stop writing dynamic queries or
       2- Use prepared statements and parameterized queries.
               These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

    Using PDO
    
    	    $stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
    
    	    $stmt->execute(array('name' => $name));
    
    	    foreach ($stmt as $row) {
    	        // do something with $row
    	    }
    
        Using MySQLi (for MySQL):
    
    	    $stmt = $dbConnection->prepare('SELECT * FROM users WHERE name = ?');
    	    $stmt->bind_param('s', $name);
    
    	    $stmt->execute();
    
    	    $result = $stmt->get_result();
    	    while ($row = $result->fetch_assoc()) {
    	        // do something with $row
    	    }
    
    
    

     

 0 Comment(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: