Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


harry tuttle's Journal: SQL Injection - Can you Hack It?

Journal by harry tuttle

Come and have a go if you think you're hard enough!

You can try your hand at the SQL Injection attack at SQLZoo.
The site includes a vulnerable web form and you are invited to try to hack it.

If you do manage to find a user name and password you can log on to the bragging board and leave a message.
The Hack site includes some hints and tips for this famous exploit - but the best techniques are saved for the book, SQL Hacks published by O'Reilly, reviewed on Slashdot by Scott Walters.

Magic String

Hackers use SQL injection to have unexpected SQL statements executed on the victim's machine. For example if you supply a string such as ' OR ''=' as both user name and password you turn the SQL query SELECT name FROM passwd WHERE user='$user' AND password='$password' into SELECT name FROM passwd WHERE user='' OR ''='' AND password='' OR ''='' The WHERE condition always returns true and so with a little luck the magic string 'OR''=' will get you access to a vulnerable site without knowing any insider details.

Having got access to the system you can then use SQL queries to find out account names and possibly passwords.

This discussion has been archived. No new comments can be posted.

SQL Injection - Can you Hack It?

Comments Filter:

Old programmers never die, they just branch to a new address.