Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "SQL injection/Basics/Testing/WHERE clause"
From NetSec
(Created page with "<noinclude>:<font size="-2">SQL injection > Basics > Testing > WHERE clause </font></noinclude> The most reliable o...") |
(No difference)
|
Revision as of 06:13, 19 July 2012
- SQL injection > Basics > Testing > WHERE clause
The most reliable of tests consist of boolean challenges that filter the results a query returns combined with arithmetic operators. Boolean challenges will return zero rows if conditions are not met, whereas they will return the same value if the conditions are met. This way researchers are able to determine vulnerability via a "true/false" test.
- In the first example (using $id) we have an unsanitized integer. The URI (uniform resource indicator) may look something like:
/article_by_id.php?id=10
- A researcher could check that URI against:
/article_by_id.php?id=10%20AND%201=1 and /article_by_id.php?id=10%20AND%201=0
- When a page is vulnerable, the page on
/article_by_id.php?id=10%20AND%201=1
will match the page on:
/article_by_id.php?id=10
however the page at:
/article_by_id.php?id=10%20AND%201=0
will have data (and likely the entire article) missing.
- In the second example, using $title, the same affect can be achieved on an unsanitized string with the following URI's:
/article_by_title.php?id=SQL%27%20AND%20%271%27=%270 /article_by_title.php?id=SQL%27%20AND%20%271%27=%271
The same methodology as the integer test applies, merely with added single quotes (%27).