| Back to top |
SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.
SQL Injection Example Below is a sample string that has been gathered from a normal user and a bad user trying to use SQL Injection. We asked the users for their login, which will be used to run a SELECT statement to get their information. MySQL & PHP Code: // a good user's name $name = "timmy"; $query = "SELECT * FROM customers WHERE username = '$name'"; echo "Normal: " . $query . "<br />"; // user input that uses SQL Injection $name_bad = "' OR 1'"; // our MySQL query builder, however, not a very safe one $query_bad = "SELECT * FROM customers WHERE username = '$name_bad'"; // display what the new query will look like, with injection echo "Injection: " . $query_bad; Thanks & Regards, Lokananth |
|||||
|
All times are GMT - 8 Hours
|
||||||
Contact Us
Hosting: Pair Networks: 0.044
Forum Software © 2001–2009 phpBB
techForum Style © 2003–2009 techpatterns.com
info
Hosting: Pair Networks: 0.044
Forum Software © 2001–2009 phpBB
techForum Style © 2003–2009 techpatterns.com
info