1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

What is Databases Injection?

Discussion in 'Databases' started by Nokia999, Oct 26, 2005.

  1. #1
    i have heard it various time so i am asking here in this forum.
    What is database injection?
     
    Nokia999, Oct 26, 2005 IP
  2. ServerUnion

    ServerUnion Peon

    Messages:
    3,611
    Likes Received:
    296
    Best Answers:
    0
    Trophy Points:
    0
  3. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #3
    It's called SQL injection. It's one of the forms of a website attack in which the attacker is able to execute arbitrary SQL against your database. Here's a simple example. If you have a form that returns a user name and you are trying to look up user's settings in the database, your SQL might look like this (in pseudo language):

    select col1, col2 from settings where user name = ' + username + ';

    If an attackers submits username as John'; insert into users (...) --, then your SQL will look like this

    select col1, col2 from settings where user name = 'John';insert into users (...) -- ';

    As you can see, the attacker was able to insert their own record in the users table. In worst case scenarios, SQL injection may be used to take over the entire server.

    Prevention is fairly simple - validate your input; use parameter binding when possible; escape input if parameter binding is not available.

    J.D.
     
    J.D., Oct 26, 2005 IP
    digitalpoint likes this.
  4. Postingpays

    Postingpays Well-Known Member

    Messages:
    1,071
    Likes Received:
    32
    Best Answers:
    0
    Trophy Points:
    185
    #4
    SQL injections are illegal characters which makes your textual based query corrupt and then the person who puts illegal characters can do anything with your query. The best thing to avoid such injections is to use stored procedure. DO not use text query on your web page. Use always stored procedure.
     
    Postingpays, Aug 15, 2006 IP