SQL INJECTION and two queries

sql-injection

11,777

Most sites nowadays are using parametized SQL -- not inline SQL. The situation would occur above if for instance, there was parsed, inline SQL, similar to the following:

Non-Parameterized Pseudo

string sql = "SELECT * FROM table_name WHERE smth='" + UserInput + "'";
ExecuteSql(sql);

...where UserInput defines an element on the website.

Instead of adding valid data to the UserInput field, you add,

UserInput = '';DROP table_name;

...you would actually be adding new logic to the end of the query, resulting in a malicious use of the system.

Parametized statements eliminate the possibility of SQL injection, since you can't modify the structure of the query by inserting logic into the signature.

If you attempted to set the UserInput field to a malacious query, but the site used parameters in the statement, then you would be out of luck.

Parameterized Pseudo:

Adapter proc;
proc.StoredProcedure = "GetUserNames"
proc.AddParameter("@USER",UserInput);
proc.Execute();

...as @USER is now equal to the literal "'\;DROP table_name;", which the SQL will treat as a regular ol' parameter.

11,777

Author by

good_evening

Updated on June 04, 2022

Comments

good_evening almost 2 years
So, I read article about SQL injection and there was an example:
```
SELECT * FROM table_name WHERE smth = 'x'; 
UPDATE table_name SET smth ='[email protected]' WHERE user = 'admin';
```
Why it doesn't work? Or it is an old article and nowadays this way is nonsense? So how hackers update mysql then? Thanks.