ansaurus

Question

Answer 1

+3 A:

perform SQL injection and patch it

You can use SQL Inject Me Firefox addon which has huge number of patterns it tests with :)

SQL Injection vulnerabilites can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities

To be on the safe side, you should use Prepared statements.

Sarfraz 2010-10-28 19:06:41

Answer 2

+1 A:

You have following conditions: Username==anything OR x=x AND RegID=12, in boolean: false OR true AND false. Apparently MySQL evaluates this entire expression as false ((false OR true) AND false).

SoftwareJonas 2010-10-28 19:11:10

Answer 3

A:

What happens if you set the username to x' or 1=1--

klausbyskov 2010-10-28 19:13:33

Query failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND RegID=' at line 1

Vinod K 2010-10-28 19:17:06

@Vinod K, ah, I just checked the syntax for comments in the mysql manual. You need to put a space after `--`. Try that. This should comment out the rest of the line and return data for all students. It would also make the value $var2 unimportant as it forms part of the comment.

klausbyskov 2010-10-28 19:20:13

Query failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1...

Vinod K 2010-10-28 19:32:02

btw...shouldnt the command be...x' or '1'='1-- ?

Vinod K 2010-10-28 19:32:44

ansaurus

tags:

views:

answers:

perform SQL injection and patch it

related questions