Final query would look likes this

Download Report

Transcript Final query would look likes this

SQL Injection:
Exploit and Defense
Duong Ngo - CSG
SQL Injection?
- An attack in which malicious code is inserted into
strings that are later passed to an instance of
Database Server for execution.
SQL Injection Example
SQLquery =
"SELECT * FROM users WHERE name = '" + UserName +"';"
- UserName's value is from user input.
- Malicious user input = blah'; DROP TABLE users --
- Final query would look likes this:
SELECT * FROM users WHERE name = 'blah'; DROP TABLE
users; --'
DEMO
AND 1 = "blah" -> Error ? Why?
Because "blah" can Not be converted to Integer
in order to compare with 1
• What If attackers replace "blah" with a
[ SQL query that returns a String ] ??
Preventing SQL injection
- Do Not trust any user input
- Escaping meta-characters :
' " ; --
- Parameterized statements using SQL storedprocedure
- Error handling - Preventing revealing error
messages
THANK YOU !!