Over the next couple of weeks I am going to post some security snippets that will make our web a hug happy place. On the menu for today: SQL Injection / Spoofing (I have heard it called both names). So, imagine a log in screen with a username and password. We would expect Request(“user”) to a be a string, such as “Ryan”. A matching query for that screen may look similar to this:

SELECT password FROM tUsers 
WHERE username = ‘Ryan' 

What if I were to type the string, ” ‘’ OR username LIKE ‘c%’”, into the text field.

SELECT password FROM tUsers 
WHERE username = ‘'  
OR username LIKE ‘c%'

This would return all passwords that match a username starting with ‘c’. Now that you see the flaw, here is more on how to prevent it:

HTML Form Builder
Ryan Campbell

SQL Injection / Spoofing by Ryan Campbell

This entry was posted 5 years ago and was filed under Notebooks.
Comments are currently closed.

· Add a Comment ·

· Comments are Closed ·