how SQL injection is done?

Possible Duplicate:
XKCD SQL injection - please explain

What is the general concept behind sql injection ?

Being a rails developer

This is unsafe

  Booking.find(:all, :conditions => [ 'bookings.user_id = #{params[user_id]]}'] )

and this is safe:--

 Booking.find(:all, :conditions => [ 'bookings.user_id = ?', params[user_id]] )

am i right?

So my question is how the sql injection is done? How those guys do some stuff like that. Any live example/ tutorial where somebody is showing this kind of stuff. Anything basic for knowing the logic.

---

SQL Injection happens when a programmer gets lazy. A vulnerable query would look like this:

DECLARE @cmd varchar(256)

SET cmd='SELECT @col FROM Table'
EXEC @cmd

With @col being a variable passed into a stored procedure.

Usually, the user would enter a column in that already exists for that variable. But a more devious user could enter something like this:

* FROM Table; DROP DATABASE data;--

The * FROM Table; finishes off the previous statement. Then, DROP DATABASE data; is the payload that does bad things, in this case, dropping the database. Finally, the -- comments out the rest of the query so it doesn't get any errors from the injection.

So, instead of executing this:

SELECT column
FROM Table

You get this:

SELECT *
FROM Table;
DROP DATABASE data;
--

Which is not good.

And this:

---

All the user has to do is enter:

1234; DROP TABLE BOOKINGS

...

---

I don't know about rails, but by doing this Booking.find(:all, :conditions => [ 'bookings.user_id = #{params[user_id]]}'] ) , you risk that the user give to user_id the value 1 OR 1=1 and as you can see, it will modify your request.

With more injection you could do something like 1; DROP TABLE BOOKINGS 1; DROP TABLE BOOKINGS etc.

Basically injection is just "hijacking" a basic request to add yours.

Bobby tables

链接地址: http://www.djcxy.com/p/93808.html

上一篇: SQL注入用户名和密码

下一篇: SQL注入是如何完成的？