<\/p>\n\n\n\n
SQL Injection Syntax<\/h2>\n\n\n\n
SQL Injection typically happens when input values from the user are directly concatenated<\/strong> into a SQL query, like so:<\/p>\n\n\n\n Now if a user inputs:<\/p>\n\n\n\n Then the resulting SQL becomes:<\/p>\n\n\n\n This shows how malicious input can completely alter the intent of a SQL query.<\/p>\n\n\n\n <\/p>\n\n\n\n Here are common SQL injection patterns:<\/p>\n\n\n\n This will return all rows<\/strong> because In login forms, users might enter:<\/p>\n\n\n\n This produces:<\/p>\n\n\n\n This again returns all users, bypassing authentication.<\/p>\n\n\n\n Some systems allow multiple SQL statements separated by semicolons:<\/p>\n\n\n\n Input:<\/p>\n\n\n\n SQL:<\/p>\n\n\n\n Warning:<\/em><\/strong> This can delete entire tables! <\/p>\n\n\n\n Instead of directly inserting user input into SQL strings, use parameterized queries<\/strong>.<\/p>\n\n\n\n Example (ASP.NET Razor-style syntax):<\/p>\n\n\n\n This way, user input is treated as literal values<\/strong>, not executable SQL.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n In our playground environment, you can safely practice SELECT statements<\/strong> and basic WHERE filtering<\/strong>, but note the following:<\/p>\n\n\n\n Example you can try:<\/strong><\/p>\n\n\n\n This returns all patients<\/strong>, showing how the condition bypasses intended logic.<\/p>\n\n\n\n <\/p>\n\n\n\ntxtUserId = getRequestString("UserId");\ntxtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;<\/pre><\/div>\n\n\n\n105 OR 1=1<\/pre><\/div>\n\n\n\n
SELECT * FROM Users WHERE UserId = 105 OR 1=1;<\/pre><\/div>\n\n\n\n
1=1<\/code> is always true, so this returns all users<\/strong> instead of just one.<\/p>\n\n\n\nSQL Injection Example<\/h2>\n\n\n\n
1. Boolean Injection:
OR 1=1<\/code><\/strong><\/h3>\n\n\n\nSELECT * FROM Users WHERE UserId = 105 OR 1=1;<\/pre><\/div>\n\n\n\n
1=1<\/code> is always true.<\/p>\n\n\n\n2. String Injection:
\"\"=\"\"<\/code><\/strong><\/h3>\n\n\n\n\n
\" OR \"\"=\"<\/code><\/li>\n\n\n\n\" OR \"\"=\"<\/code><\/li>\n<\/ul>\n\n\n\nSELECT * FROM Users WHERE Name ="" OR ""="" AND Pass ="" OR ""="";<\/pre><\/div>\n\n\n\n
3. Batched SQL Statements<\/strong><\/h3>\n\n\n\n
105; DROP TABLE Suppliers<\/pre><\/div>\n\n\n\n
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;<\/pre><\/div>\n\n\n\n
\n
Note:<\/em><\/strong> Batched SQL statements like this may not run in our playground<\/strong> for safety reasons.<\/p>\n<\/blockquote>\n\n\n\nSQL Injection Protection <\/h2>\n\n\n\n
SQL Injection Protection Using SQL Parameters<\/h3>\n\n\n\n
txtUserId = getRequestString("UserId");\ntxtSQL = "SELECT * FROM Users WHERE UserId = @0";\ndb.Execute(txtSQL, txtUserId);<\/pre><\/div>\n\n\n\nSQL Injection Protection Best Practices<\/h3>\n\n\n\n
\n
SQL Injection Playground Testing <\/h2>\n\n\n\n
\n
DROP TABLE<\/code> or batched injections using ;<\/code> will not work<\/strong> (for safety).<\/li>\n\n\n\nOR 1=1<\/code>.<\/li>\n<\/ul>\n\n\n\nSELECT * FROM Patients WHERE patient_id = 1 OR 1=1;<\/pre><\/div>\n\n\n\n
![\"\"](\"https:\/\/techkubo.com\/sql\/wp-content\/uploads\/sites\/3\/2024\/08\/image-112-1024x450.png\")
<\/figure>\n\n\n\nSQL Injection Labs<\/h2>\n\n\n\n