Basic SQL Injection attack

Basic SQL Injection attack with defence

Incorrect type handling

Incorrectly filtered escape characters

SQL Injection attack against PHP addslashes

SQL injection that gets around mysql_real_escape_string()

Scenario #1: The application uses untrusted data in the construction of the following vulnerable SQL call:

String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";

Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)):

Query HQLQuery = SESSION.createQuery(“FROM accounts WHERE custID='“ + request.getParameter("id") + "'");

In both cases, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1.

For example: http://example.com/app/accountView?id=' or '1'='1

This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.

Passing the following in as input.

 -1 union all select table_name from information_schema.tables

and now just extract table structure:

SELECT ... WHERE id = -1 UNION ALL SELECT column_name FROM information_schema.column WHERE TABLE_NAME = 0x61727469636c65

• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

• http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

• https://en.wikipedia.org/wiki/SQL_injection