Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/Basics/Testing/WHERE clause"

From NetSec
Jump to: navigation, search
(Created page with "<noinclude>:<font size="-2">SQL injection > Basics > Testing > WHERE clause </font></noinclude> The most reliable o...")
 
 
Line 1: Line 1:
<noinclude>:<font size="-2">[[SQL injection]] > [[SQL injection/Basics|Basics]] > [[SQL injection/Basics/Testing|Testing]] > WHERE clause </font></noinclude>
+
<noinclude>{{path|[[SQL injection]] > [[SQL injection/Basics|Basics]] > [[SQL injection/Basics/Testing|Testing]] > WHERE clause}}</noinclude>
  
 
The most reliable of tests consist of boolean challenges that filter the results a query returns combined with arithmetic operators.
 
The most reliable of tests consist of boolean challenges that filter the results a query returns combined with arithmetic operators.

Latest revision as of 06:15, 19 July 2012

SQL injection > Basics > Testing > WHERE clause

The most reliable of tests consist of boolean challenges that filter the results a query returns combined with arithmetic operators. Boolean challenges will return zero rows if conditions are not met, whereas they will return the same value if the conditions are met. This way researchers are able to determine vulnerability via a "true/false" test.

  • In the first example (using $id) we have an unsanitized integer. The URI (uniform resource indicator) may look something like:
 /article_by_id.php?id=10
  • A researcher could check that URI against:
 /article_by_id.php?id=10%20AND%201=1
 and
 /article_by_id.php?id=10%20AND%201=0
  • When a page is vulnerable, the page on
 /article_by_id.php?id=10%20AND%201=1

will match the page on:

 /article_by_id.php?id=10

however the page at:

 /article_by_id.php?id=10%20AND%201=0

will have data (and likely the entire article) missing.

  • In the second example, using $title, the same affect can be achieved on an unsanitized string with the following URI's:
 /article_by_title.php?id=SQL%27%20AND%20%271%27=%270
 /article_by_title.php?id=SQL%27%20AND%20%271%27=%271

The same methodology as the integer test applies, merely with added single quotes (%27).

RPU0j.png
Most of today's security systems will easily identify and block simple testing methods like those illustrated above.