Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Code injection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===SQL injection=== {{Main|SQL injection}} An [[SQL injection]] takes advantage of [[SQL syntax]] to inject malicious commands that can read or modify a database or compromise the meaning of the original query.<ref>{{Cite journal |last1=Zhuo |first1=Z. |last2=Cai |first2=T. |last3=Zhang |first3=X. |last4=Lv |first4=F. |date=2021-03-12 |title=Long short-term memory on abstract syntax tree for SQL injection detection |url=https://onlinelibrary.wiley.com/doi/10.1049/sfw2.12018 |journal=IET Software |language=en |volume=15 |issue=2 |pages=188β197 |doi=10.1049/sfw2.12018 |s2cid=233582569 |issn=1751-8806|url-access=subscription }}</ref> For example, consider a web page that has two [[text fields]] which allow users to enter a username and a password. The code behind the page will generate an [[SQL query]] to check the password against the list of user names: <syntaxhighlight lang="SQL"> SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'Password' </syntaxhighlight> If this query returns any rows, then access is granted. However, if the malicious user enters a valid Username and injects some valid code "<code>('Password' OR '1'='1')</code> in the Password field, then the resulting query will look like this: <syntaxhighlight lang="sql"> SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'Password' OR '1'='1' </syntaxhighlight> In the example above, "Password" is assumed to be blank or some innocuous string. "<code>'1'='1'</code>" will always be true and many rows will be returned, thereby allowing access. The technique may be refined to allow multiple statements to run or even to load up and run external programs. Assume a query with the following format:<syntaxhighlight lang="sql"> SELECT User.UserID FROM User WHERE User.UserID = ' " + UserID + " ' AND User.Pwd = ' " + Password + " ' </syntaxhighlight>If an adversary has the following for inputs: <code>UserID: ';DROP TABLE User; --'</code> <code>Password: 'OR"='</code> then the query will be parsed as:<syntaxhighlight lang="sql"> SELECT User.UserID FROM User WHERE User.UserID = '';DROP TABLE User; --'AND Pwd = ''OR"=' </syntaxhighlight> The resulting <code>User</code> table will be removed from the database. This occurs because the <code>;</code> symbol signifies the end of one command and the start of a new one. <code>--</code> signifies the start of a comment.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)