+ 3

What is sql injection and how can i use this.

15th Sep 2017, 10:05 AM
SACHIN BARUA
SACHIN BARUA - avatar
4 Respostas
+ 5
If your code looks something like this: mysql_query('UPDATE users SET first_name="' . $_POST['first_name'] . '" WHERE id=1001'); you would expect the generated SQL to be: UPDATE users set first_name="Liz" WHERE id=1001; But if your malicious user types their first name as: Liz", last_name="Lemon"; -- the generated SQL then becomes: UPDATE users SET first_name="Liz", last_name="Lemon"; --" WHERE id=1001; Now all of your users are named Liz Lemon, and that’s just not cool.
15th Sep 2017, 10:15 AM
Calviղ
Calviղ - avatar
+ 1
Go to YouTube. Look for Tom Scott SQL Injection. His explanations are succinct and he's super sexy.
15th Sep 2017, 6:38 PM
1of3
1of3 - avatar
+ 1
you can inject some sql codes on an unsecured input form or get method that has a relation with mysql_query() e.g: php?id=1 mysql_query('select name from namds where id=1') i use order by + a random number to get number of collumns then union select + number of columns as 1,2,3... after finding vuln column u can inject something like php?id=union select 1,password,3 from admin or bruteforcing tables data and columns with havij or sqlmap
16th Sep 2017, 12:01 AM
New Coder
New Coder - avatar