Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
SQL injection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Getting direct output or action=== Imagine a program creates a SQL statement using the following string assignment command : <syntaxhighlight lang="javascript" inline>var statement = "SELECT * FROM users WHERE name = '" + userName + "'";</syntaxhighlight> This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as: <pre>' OR '1'='1</pre> or using comments to even block the rest of the query (there are three types of SQL comments<ref>{{citation|title=IBM Informix Guide to SQL: Syntax|chapter=How to Enter SQL Comments|publisher=IBM|chapter-url=http://publibfp.dhe.ibm.com/epubs/pdf/c2736111.pdf|pages=13β14|access-date=2018-06-04|archive-date=February 24, 2021|archive-url=https://web.archive.org/web/20210224035314/http://publibfp.dhe.ibm.com/epubs/pdf/c2736111.pdf|url-status=dead|language=en}}</ref>). All three lines have a space at the end: <pre>' OR '1'='1' -- ' OR '1'='1' { ' OR '1'='1' /* </pre> renders one of the following SQL statements by the parent language: <syntaxhighlight lang="sql">SELECT * FROM users WHERE name = '' OR '1'='1';</syntaxhighlight> <syntaxhighlight lang="sql">SELECT * FROM users WHERE name = '' OR '1'='1' -- ';</syntaxhighlight> If this code were to be used in authentication procedure then this example could be used to force the selection of every data field (*) from ''all'' users rather than from one specific user name as the coder intended, because the evaluation of '1'='1' is always true. The following value of "userName" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "userinfo" table (in essence revealing the information of every user), using an [[API]] that allows multiple statements: <syntaxhighlight lang="sql" inline="">a';</syntaxhighlight><syntaxhighlight lang="sql" inline="">DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't</syntaxhighlight> This input renders the final SQL statement as follows and specified: <syntaxhighlight lang="sql">SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';</syntaxhighlight> While most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as [[PHP]]'s <code>mysql_query()</code> function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn't stop them from modifying queries.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)