13-03-2012, 02:37 PM
SQL INJECTION
sql.pptx (Size: 409.27 KB / Downloads: 44)
Introduction
SQL injection is a basic attack used either to
gain unauthorized access to a database.
retrieve information directly from the database.
The basic principles underlying SQL injection are simple and these types of attacks are easy to execute.
Scope of Attack
Application Software having data base at the back end such as accounting packages, automation systems etc.
Web applications such as online banking, ecommerce systems etc.
Query Manipulation
Query manipulation typically involves modifying the SQL statement through set operations (e.g., UNION) or
altering the WHERE clause to return a different result.
The most well known attack is to modify the WHERE clause of the user authentication statement so the WHERE clause always results in TRUE.
What’s Vulnerable?
An application is vulnerable to SQL injection for only one reason – end user string input is not properly validated and is passed to a dynamic SQL statement without any such validation.
Stateless nature of many web applications, allows the user to write data to the database or store it using some other means between web pages.
sql.pptx (Size: 409.27 KB / Downloads: 44)
Introduction
SQL injection is a basic attack used either to
gain unauthorized access to a database.
retrieve information directly from the database.
The basic principles underlying SQL injection are simple and these types of attacks are easy to execute.
Scope of Attack
Application Software having data base at the back end such as accounting packages, automation systems etc.
Web applications such as online banking, ecommerce systems etc.
Query Manipulation
Query manipulation typically involves modifying the SQL statement through set operations (e.g., UNION) or
altering the WHERE clause to return a different result.
The most well known attack is to modify the WHERE clause of the user authentication statement so the WHERE clause always results in TRUE.
What’s Vulnerable?
An application is vulnerable to SQL injection for only one reason – end user string input is not properly validated and is passed to a dynamic SQL statement without any such validation.
Stateless nature of many web applications, allows the user to write data to the database or store it using some other means between web pages.