SQL Injection Walkthrough - gHacks Tech News

SQL Injection Walkthrough

by Martin Brinkmann on May 16, 2006 in Security - Last Update: May 05, 2013 - 1 comment

If you already know what SQL Injections are and do, you may want to skip the first paragraph of this guide as it is bringing everyone else up to speed. Wikipedia defines SQL injections in the following way: SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

What does it mean in plain English? Attackers try to inject code in to websites by finding loopholes in scripts that run on the site. This can be a form on the website or any other script running on it that is not properly protected from these kind of injections.

The article "SQL Injection Walkthrough" helps you identify vulnerable scripts and explains the methods to test, verify and exploit those vulnerabilities. After reading the article you will have a basic understanding of the techniques used by attackers and if you follow the links given at the end you can dive deeper into the topic.

The guide is divided into the following chapters:

  • What is SQL Injection
  • What should you look for
  • What if you can't find any page that takes input?
  • How do you test if it is vulnerable?
  • But why ' or 1=1-?
  • How do I get remote execution with SQL injection
  • How to get output of my SQL query?
  • How to get data from the database using ODBC error message
  • How to mine all column names of a table
  • How to retrieve any data we want?
  • How to get numeric string value?
  • How to update/insert data into the database
  • How to avoid SQL injection?
  • Where to get more information

While being an introduction to SQL Injections, it is recommended to have at least some programming experience, as it makes it a lot easier to follow the guide since code examples are frequently used in the guide to explain the concepts. It should not be too difficult but basic understanding of SQL helps a lot.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Donate via PayPal

Comments

  1. rudi said on May 24, 2006 at 5:45 am
    Reply

    is my web can be HACK if i send [‘ or “1”=”1″–] srvr respond
    Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’
    [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ‘1’.
    /search.asp, line 166

    but i try to insert many SQL INJECTION does not respond anything
    please help me howto hack this !
    thanks

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Spread the Word

Ghacks Newsletter Sign Up

Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up

Advertisement

This Day in History

Advertisement

Popular Posts

Advertisement

Recently Updated

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

© 2018 gHacks Technology News. All Rights Reserved.