MGZ
05-14-02, 14:33
| http://207.230.217.78/chris/sqlinjection.zip This article points out a flaw/weakness in some DB servers called SQL Injection. the concept is very similar to CSS (cross-site scripting.) the following code is in ASP/MS SQL but it should make sense across the platforms. lets say you have a simple HTML form that has a single textbox where the user enters their name. on the server-side you have the following code: SELECT * FROM Users WHERE Username='" & Request.Form("Username") & "'" if a person enters Bob into the user name box, the query sent to the SQL server would be: SELECT * FROM Users WHERE Username='Bob' that's great and all, but what if the user entered: Bob' DROP TABLE Users-- this would send the following code to the server: SELECT * FROM Users WHERE Username='Bob' DROP TABLE Users--' since MS SQL pretty much ignores whitespace, it's going to execute both commands, the second of which deletes the entire user table. the 2 dashes are SQL comments so the last apostrophe gets ingored and no errors are thrown. |