I have made a sample website using struts 1 to try SQL injection.
I have used t1 as table name with fields username and password.
I have used OracleXE as database server and Tomcat as web server.
I have tried to use all oracle commands provided on various websites but they don't seem to work for me.
This is happening despite the fact that I know the exact table name and exact field names.
Can someone provide me with code which I can use to test SQL injection.
I have used no security at all.
This query takes in the value of username dynamically .
The user enters the username via HTML input tag & you may retrieve the parameter in HttpRequest.
We use our above query to match the username for any user.
Now if the user enters value "jack" in the input tag , the query becomes :
SELECT * FROM users WHERE name = 'jack';
Now instead of 'jack' the user enters value "jack or '1'='1'"
The corresponding query becomes
SELECT * FROM users WHERE name = 'jack' or '1'='1';
The latter '1'='1' being always true returns details for all the users.
That is what SQL injection does.
Varun Annand
Greenhorn
Joined: Nov 06, 2011
Posts: 6
posted
0
Abhi Rai wrote:Hey ,
SELECT * FROM users WHERE name = 'jack';
Now instead of 'jack' the user enters value "jack or '1'='1'"
The corresponding query becomes
SELECT * FROM users WHERE name = 'jack' or '1'='1';
The latter '1'='1' being always true returns details for all the users.
That is what SQL injection does.
I tried this but nothing happened. My simple Struts 1 application still asks for password.
Maybe I use PreparedStatement to execute SQL queries. That could have made all the difference.
0
