Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
SQL injection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
====Conditional responses==== One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen. As an example, a book review website uses a [[query string]] to determine which book review to display. So the [[URL]] <code><nowiki>https://books.example.com/review?id=5</nowiki></code> would cause the server to run the query <syntaxhighlight lang="sql">SELECT * FROM bookreviews WHERE ID = '5';</syntaxhighlight> from which it would populate the review page with data from the review with [[Identifier|ID]] 5, stored in the [[Table (database)|table]] bookreviews. The query happens completely on the server; the user does not know the names of the database, table, or fields, nor does the user know the query string. The user only sees that the above URL returns a book review. A [[Security hacker|hacker]] can load the URLs <code><syntaxhighlight lang="sql" inline>https://books.example.com/review?id=5' OR '1'='1</syntaxhighlight></code> and <code><syntaxhighlight lang="sql" inline>https://books.example.com/review?id=5' AND '1'='2</syntaxhighlight></code>, which may result in queries <syntaxhighlight lang="sql">SELECT * FROM bookreviews WHERE ID = '5' OR '1'='1'; SELECT * FROM bookreviews WHERE ID = '5' AND '1'='2';</syntaxhighlight> respectively. If the original review loads with the "1=1" URL and a blank or error page is returned from the "1=2" URL, and the returned page has not been created to alert the user the input is invalid, or in other words, has been caught by an input test script, the site is likely vulnerable to an SQL injection attack as the query will likely have passed through successfully in both cases. The hacker may proceed with this query string designed to reveal the version number of [[MySQL]] running on the server: <code><syntaxhighlight lang="mysql" inline>https://books.example.com/review?id=5 AND substring(@@version, 1, INSTR(@@version, '.') - 1)=4</syntaxhighlight></code>, which would show the book review on a server running MySQL 4 and a blank or error page otherwise. The hacker can continue to use code within query strings to achieve their goal directly, or to glean more information from the server in hopes of discovering another avenue of attack.<ref>{{cite web|url=http://forum.intern0t.org/web-hacking-war-games/818-blind-sql-injection.html|title=Blind SQL Injection tutorial|author=macd3v|access-date=6 December 2012|url-status=dead|archive-url=https://web.archive.org/web/20121214193021/http://forum.intern0t.org/web-hacking-war-games/818-blind-sql-injection.html|archive-date=December 14, 2012 |language=en}}</ref><ref>{{cite web|title=TDSS botnet: full disclosure |url=http://nobunkum.ru/analytics/en-tdss-botnet|access-date=6 December 2012|author=Andrey Rassokhin|author2=Dmitry Oleksyuk|url-status=dead |archive-url=https://web.archive.org/web/20121209032723/http://nobunkum.ru/analytics/en-tdss-botnet|archive-date=December 9, 2012 |language=en}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)