Questions about this topic? Sign up to ask in the talk tab.
SQL injection/Basics/Testing/Query Reconstruction
From NetSec
Revision as of 06:15, 19 July 2012 by LashawnSeccombe (Talk | contribs) (Created page with "<noinclude>{{path|SQL injection > Basics > Testing > Query Reconstruction }}</noinclude> Reconstruction of queries ...")
- SQL injection > Basics > Testing > Query Reconstruction
Reconstruction of queries locally will be available if the SQL database engines is installed. Links are provided at the end of the page for following along. Using the above testing examples, the queries generated from the url tampering will be reconstructed.
- Original Query:
$query = "select * from articles where id=$id"; |
- Generated Queries:
$query = "select * from articles where id=10 and 1=1"; $query = "select * from articles where id=10 and 1=0"; |
Or, alternatively, the $title example can be examined:
- Original query:
$query = "select * from articles where title='$title'"; |
- Generated queries:
$query = "select * from articles where title='SQL' and '1'='0'"; $query = "select * from articles where title='SQL' and '1'='1'"; |
- The values of $id and $title are being passed directly into the SQL query. Because 1 will always equal 1, the results are passed directly back. When the false test (1=0) is applied, no data is returned by the query because there is no row in the database where 1=0. 1 always equals 1.