IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [sql-injection]

SQL injection is a technique used to take advantage of vulnerabilities arising from non-validated input on web applications to pass SQL commands through for execution on a backend database.

SQL injection is an attack technique that is used to carry out attacks on databases. Web apps that do not validate input may evaluate executable statements included in the input, including SQL commands. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, or use user input to construct SQL commands, in order to embed SQL commands inside these parameters. Attackers can use this technique to execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

924 questions
566
votes
20 answers

How can I explain SQL injection without technical jargon?

I need to explain SQL injection to someone without technical training or experience. Can you suggest any approaches that have worked well?
torayeff
  • 4,585
  • 4
  • 17
  • 15
90
votes
2 answers

Are prepared statements 100% safe against SQL injection?

Are prepared statements actually 100% safe against SQL injection, assuming all user-provided parameters are passed as query bound parameters? Whenever I see people using the old mysql_ functions on StackOverflow (which is, sadly, way too frequently)…
Polynomial
  • 135,049
  • 43
  • 306
  • 382
52
votes
3 answers

How do I test for SQL injection vulnerabilities on a site with input fields?

What methods are available for testing SQL injection vulnerabilities?
John S
  • 621
  • 1
  • 6
  • 3
51
votes
8 answers

Is there a field length that is too short to allow harmful SQL injection?

I was reading about SQL injection and saw this, which got me thinking: input fields as small as possible to reduce the likelihood of a hacker being able to squeeze SQL code into the field without it being truncated (which usually leads to a T-SQL…
James Jenkins
  • 723
  • 1
  • 5
  • 10
23
votes
6 answers

Can SQL injection lead to remote code execution?

Is it possible to execute some code (e.g. PHP code on a PHP-based web application) on the server through SQL injection? If yes, how exactly? I understand that un-escaped field can lead to SQL injection and an attacker can execute SQL commands of his…
pavanw3b
  • 381
  • 1
  • 3
  • 11
22
votes
3 answers

How to defeat doubling up apostrophes to create SQLi attack?

I know some developers double up apostrophes to mitigate SQLi. (This is when the input is ' so it becomes '') Is there a way to beat this? This is on MS SQl Server.
DomBat
  • 597
  • 1
  • 7
  • 13
21
votes
4 answers

Leveraging a shell from SQL injection

As I understand it, SQL injection should only allow for the manipulation and retrievial of data, nothing more. Assuming no passwords are obtained, how can a simple SQL injection be used to leverage a shell? I have seen attacks where this has been…
Sonny Ordell
  • 3,566
  • 10
  • 36
  • 56
20
votes
3 answers

SQL injection with AND 1=1

Please explain the meaning of "AND 1 = 1" in a SQL injection attack. It's from an exercise in my university. E.g. select * from user where id = 'smith'' AND 1=1;-- and birthdate = 1970; or select * from user where id = 'smith' and birthdate =…
Alex
  • 201
  • 1
  • 2
  • 3
19
votes
3 answers

Why do testers often use the single quote ( ' ) to test for SQL injection?

It has been seen that security testers input either ' or ; into the application entry points to test for SQL injection. Why are these characters used?
Anandu M Das
  • 2,047
  • 15
  • 33
  • 49
13
votes
2 answers

How to Insert data into a table with sqlmap using its sql-query command

I'm using sqlmap on a test site and I wanted to modify some of the data inside of a table. Using the switch --sql-query. What is the correct syntax? example: is it --sql-query="My_query_here"? or maybe it's --sql-query='myqueryhere'? How would I…
Digital fire
  • 3,186
  • 5
  • 32
  • 44
11
votes
3 answers

No single quotes is allowed, Is this SQL Injection point still exploitable?

The SQL phrase looks like this, "SELECT * from XX where id = '" + id + "'" The id variable comes directly from the GET parameter named id. And the Java web app explicitly disallowed single quote. If a single quote was found in that parameter, the…
daisy
  • 2,067
  • 7
  • 31
  • 44
10
votes
3 answers

No -*|%/ and no whitespace, is this SQL injectable?

I have an SQL query like "select * from records where record like '%" + user_input + "%'" My goal here is to get all the records. So far everything I have tried involves using comments to bypass the whitespace filter, but with / and - disabled that…
user212222
10
votes
2 answers

Is SQL injection possible via integer?

Below is the following pseudo-code: public updated(int id) { // Note that variable **id** is not surrounded by single/double quotes. sql = "Update table user set status=2 where user_id=**id** "; // execute command } Is this vulnerable…
GearLab
  • 139
  • 1
  • 1
  • 5
8
votes
1 answer

SQL injection with 500 error code?

I'm trying to inject SQL into a website. When I write and in the input field the server returns error code 500 and the response delay is 30 seconds. When I try to add order by or group by the server takes 15 - 30 seconds to respond, and it looks…
Yanis600
  • 91
  • 1
  • 1
  • 4
7
votes
4 answers

How to white hat Pen Test SQL injection

I will start off with saying apologies if this is something that has been asked 100s of times or is moot question within testing circles. I have come across this article I'd like to test this out but would rather do it on a real life scenario. I do…
Will
  • 171
  • 1
  • 2
1
2 3
9 10