API tools faq
paste
Advertisement
qazmlpok

explanation of SQL injection

qazmlpok
Mar 30th, 2016 (edited)
274
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.71 KB | None | 0 0
raw download clone embed print report
  1. I'm using the xkcd version as the example because I'm fairly certain the one in here won't actually work. It's been a while but I think most SQL servers won't accept ".
  2. http://imgs.xkcd.com/comics/exploits_of_a_mom.png
  3.  
  4. The kid's name is ``Robert'); DROP TABLE Students;--``
  5.  
  6. Normal children have names like "Bob". Bob is a child at the school, and they have a database of all his information.
  7.  
  8. Let's say you wanted to get Bob's phone number and home address, so you can call his mom:
  9.  
  10. SELECT Name, Phone_number, Home_address FROM Students WHERE (Name='Bob')
  11.  
  12. This will give you Bob's name, phone number, and home address. Actually, it'll give you every child named Bob's details, but let's pretend he's the only Bob. If you just wanted everything stored on Bob, you could just do:
  13.  
  14. SELECT * FROM Students WHERE Name='Bob'
  15.  
  16. That's where ``SELECT *`` comes from in the image. Moe is getting all the information on the drunks in the bar.
  17.  
  18. Some other things to explain before I continue:
  19. --This is a comment. Anything that comes after these 2 dashes will be ignored.
  20. ; can be used to separate statements. Both will be executed. e.g. ``SELECT * FROM Students WHERE Name='Bob';SELECT * FROM Students WHERE Name='Tracy'``
  21.  
  22. Now let's search for little bobby drop tables.
  23.  
  24. SELECT * FROM Students WHERE (Name='Robert'); DROP TABLE Students;--'
  25.  
  26. This command got a little weird. We use single quotes around the person's name, but the name itself has single quotes. And there's also a semicolon and comment in there!
  27.  
  28. So what happens is the SQL interpreter sees two commands:
  29. SELECT * FROM Students WHERE (Name='Robert')
  30. DROP TABLE Students
  31.  
  32. And there might have been some stuff after the where, but thanks to the --, all of that will be ignored.
  33.  
  34. So the SQL server will execute both of those commands. First it will get a list of all students named Robert.
  35. Then it will "drop" the table Students. It's pretty obvious that it's bad, but to go into specifics:
  36. All data in the student table will be removed.
  37. The table itself will be deleted.
  38. Which means that any further queries on student information will not only not give the info you want, but will give horrible error messages and probably crash whatever program the teachers are using.
  39.  
  40. This is known as SQL injection. Wikipedia has an article on it for more information, or if I made a mistake.
  41.  
  42. The XKCD and Simpsons examples are purely malicious. More "practical" uses would be something like
  43.  
  44. "Hey, Amazon, I'd like to search for a product. While you're at it, how about you give me every credit card number in your database?"
  45.  
  46. Competent programmers can prevent this kind of attack, so no, you won't be able to actually use this to steal cc information from amazon. Don't even try.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!