Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Databases

Journal harry tuttle's Journal: SQL Injection - Can you Hack It?

Come and have a go if you think you're hard enough!

You can try your hand at the SQL Injection attack at SQLZoo.
The site includes a vulnerable web form and you are invited to try to hack it.

If you do manage to find a user name and password you can log on to the bragging board and leave a message.
The Hack site includes some hints and tips for this famous exploit - but the best techniques are saved for the book, SQL Hacks published by O'Reilly, reviewed on Slashdot by Scott Walters.

Magic String

Hackers use SQL injection to have unexpected SQL statements executed on the victim's machine. For example if you supply a string such as ' OR ''=' as both user name and password you turn the SQL query SELECT name FROM passwd WHERE user='$user' AND password='$password' into SELECT name FROM passwd WHERE user='' OR ''='' AND password='' OR ''='' The WHERE condition always returns true and so with a little luck the magic string 'OR''=' will get you access to a vulnerable site without knowing any insider details.

Having got access to the system you can then use SQL queries to find out account names and possibly passwords.

This discussion has been archived. No new comments can be posted.

SQL Injection - Can you Hack It?

Comments Filter:

Pause for storage relocation.

Working...