API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 21st, 2017
132
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.95 KB | None | 0 0
raw download clone embed print report
  1. Take your query:
  2.  
  3. select * from tableName where userField = '" + txtBoxUser + "' and passField = '" + txtBoxPass + "'"
  4.  
  5. So, imagine user enter this on textboxes:
  6.  
  7. txtBoxUser: John Doe
  8. txtBoxPass: 1234
  9.  
  10. So, the query will be:
  11.  
  12. select * from tableName where userField = 'John Doe' and passField = '1234'
  13.  
  14. If the user/pass matches, the login will succes.
  15.  
  16. But now imagine the 'user' enter this on textboxes:
  17.  
  18. txtBoxUser: ' or ''='
  19. txtBoxPass: ' or ''='
  20.  
  21. The query will be:
  22.  
  23. SELECT * FROM tableName WHERE userField = '' OR ''='' AND passField = '' OR ''=''
  24.  
  25. This query always successfully, so login always sucess
  26.  
  27. So you have 3 choices:
  28.  
  29. 1) Only allow letters and numbers on textboxes. (really bad fix, because someone could use simbols on user/pass)
  30. 2) Use parameters on query. This should fix the SQLi
  31. 3) Use Stored Procedures
  32.  
  33. Hope it helps someone to understand how 'SQL Injection' works and how try to fix it
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!