SQL Injection Attacks and Tips on How to Prevent Them from website

By | November 8, 2013

Hello Friends, today i’m going to write on what is SQL injection?  and developer must need to take care of few thing during the development of website for prevent attacking on website by the way of SQL Injection.

What is SQL injection?

SQL Injections is one of the easiest and most effective ways for hacking sites. If you know how SQL statements work, you can easily change it to achieve your needs.

Example, a SQL syntex for a PHP based website could be

SELECT * FROM USERS WHERE ADMIN = “$username” AND PASSWORD = “$password”;

The PHP variables $username and $password will be assigned the values that the user entered into the username and password textboxes of Login Form.

If the user correctly enters the correct username and password, they query will return a result, thus logging you in.

However, instead of entering the correct username and password, we can inject some SQL and modify the query result.

Like, we can enter aaaa in the username textbox, and bbbb” OR “1” = “1 in the password textbox.
By doing this, the query will be SELECT * FROM USERS WHERE ADMIN = “aaaa ” AND PASSWORD = “bbbb” OR “1” = “1”;

This statement will return true because 1 is equal to 1 and we will successfully login to site.

SQL Injection and tips

Other possibilities are to try depending on the SQL Query are:
• ‘ or 1=1–
• ” or 1=1–
• or 1=1–
• ‘ or ‘a’=’a
• ” or “a”=”a
• ‘) or (‘a’=’a

To stay safe from such a fact use mysqli_real_escape_string in php for Escapes special characters in a string for use in an SQL statement and prevent un authorise attack through Mysql Injection.

Leave a Reply

Your email address will not be published. Required fields are marked *