What is SQL Injection? From wikipedia: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed
Here is a nice SQL injection cheat sheet. Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL
http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/
Table Of Contents
About SQL Injection Cheat Sheet
Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks
Line Comments
SQL Injection Attack Samples
Inline Comments
Classical Inline Comment SQL Injection Attack Samples
MySQL Version Detection Sample Attacks
Stacking Queries
Language / Database Stacked Query Support Table
About MySQL and PHP
Stacked SQL Injection Attack Samples
If Statements
MySQL If Statement
SQL Server If Statement
If Statement SQL Injection Attack Samples
Using Integers
String Operations
String Concatenation
Strings without Quotes
Hex based SQL Injection Samples
String Modification & Related
Union Injections
UNION – Fixing Language Issues
Bypassing Login Screens
Enabling xp_cmdshell in SQL Server 2005
Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see.
No comments:
Post a Comment