Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Journal harry tuttle's Journal: SQL Injection - Can you Hack It?

Come and have a go if you think you're hard enough!

You can try your hand at the SQL Injection attack at SQLZoo.
The site includes a vulnerable web form and you are invited to try to hack it.

If you do manage to find a user name and password you can log on to the bragging board and leave a message.
The Hack site includes some hints and tips for this famous exploit - but the best techniques are saved for the book, SQL Hacks published by O'Reilly, reviewed on Slashdot by Scott Walters.

Magic String

Hackers use SQL injection to have unexpected SQL statements executed on the victim's machine. For example if you supply a string such as ' OR ''=' as both user name and password you turn the SQL query SELECT name FROM passwd WHERE user='$user' AND password='$password' into SELECT name FROM passwd WHERE user='' OR ''='' AND password='' OR ''='' The WHERE condition always returns true and so with a little luck the magic string 'OR''=' will get you access to a vulnerable site without knowing any insider details.

Having got access to the system you can then use SQL queries to find out account names and possibly passwords.

This discussion has been archived. No new comments can be posted.

SQL Injection - Can you Hack It?

Comments Filter:

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre