| SQL injection [message #282911] |
Sun, 25 November 2007 00:04  |
riteshu
Messages: 5
Registered: May 2005
|
Junior Member |
|
|
Hi All,
Im not sure if this is the right forum but i hope someone can clear my problem
I have a parameterized query like
SELECT * FROM USER_DATA WHERE LAST_NAME = ?
Is there any way to do SQL injection. Im supposed to get all data from the table USER_DATA. Or can I get a subset of whole table data?
Its part of a lab assignment which I have been trying but everywhere I see they seem to say that parameterized queries are used to save from SQL injection
|
|
|
|
| Re: SQL injection [message #282924 is a reply to message #282911] |
Sun, 25 November 2007 02:58  |
Frank
Messages: 7901
Registered: March 2000
|
Senior Member |
|
|
|
Do you know what SQL injection is? Either I get your question wrong, or you have the wrong idea about SQL injection.
|
|
|
|
| Re: SQL injection [message #282926 is a reply to message #282924] |
Sun, 25 November 2007 03:14 |
riteshu
Messages: 5
Registered: May 2005
|
Junior Member |
|
|
well, I know if it is dynamic sql we can "inject" another sql into the query, like
select *
from tab
where column1 = smith
or 1=1;
--where i send smith' or '1'='1 as input and the 1=1 lets me get all rows from the table
well, the assignment im working on has 2 stages where the above worked for the first case.
now in the second, since the query is parameterized, Id like to know if something like the above can be done to get all rows from the table or should I be looking at a different approach?
As expected, the above does not work since it checks the column value with the whole string.
I hope I am more clear this time.
Thnx
|
|
|
|
|
|
| Re: SQL injection [message #283840 is a reply to message #282926] |
Wed, 28 November 2007 04:57 |
PeakConsulting
Messages: 20
Registered: November 2007
Location: Suite 6, 2 Hornsey Street...
|
Junior Member |
|
|
| riteshu wrote on Sun, 25 November 2007 03:14 |
well, I know if it is dynamic sql we can "inject" another sql into the query, like
select *
from tab
where column1 = smith
or 1=1;
--where i send smith' or '1'='1 as input and the 1=1 lets me get all rows from the table
well, the assignment im working on has 2 stages where the above worked for the first case.
now in the second, since the query is parameterized, Id like to know if something like the above can be done to get all rows from the table or should I be looking at a different approach?
As expected, the above does not work since it checks the column value with the whole string.
I hope I am more clear this time.
Thnx
|
As far as I know SQL injection can't be performed for the 2nd stage
[Updated on: Wed, 28 November 2007 05:43] by Moderator Report message to a moderator |
|
|
|
| Re: SQL injection [message #284016 is a reply to message #283840] |
Wed, 28 November 2007 10:33 |
Frank
Messages: 7901
Registered: March 2000
|
Senior Member |
|
|
SQL-injection can only happen (in Oracle) if you concatenate your sql statement with entries from 'the outside world'.
As long as you use bind variables, no worries for SQL-injection.
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
