SQL injection can happen when the programmer fails to 'filter' user input for such as quotes and other special characters.
eg. in php, setting up an sql string such as
$sql = "SELECT * FROM users WHERE username = ".$_GET["username"];
With a simple username (fred), that gives
"SELECT * FROM users WHERE username = fred";
which is fine.
If someone adds appropriate characters in the username they enter - eg.
fred OR 1=1
the SQL
"SELECT * FROM users WHERE username = fred OR 1=1 "
1=1 is true for every record in the table, so the database returns everything.
The proper was is to filter each user input variable to remove or escape critical characters before it gets anywhere near the database.
Newer versions of MySQL can use "prepared" statements, which completely isolate the program variables from the syntax of the SQL query line.
Edit - link added with more info:
http://www.w3schools.com/sql/sql_injecti...
I got it. The answer is I didn't use mysqli_select_db($link,$db_database); which I am not sure that i need to use in the first place
Hello,
I have a localhost site and I want to learn more about SQL Injections.
I get stuck at this part:
"SELECT * FROM `hack`.`hacker` WHERE `id`='-1' union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() -- ' "
-nothing get's returned and I wonder why. I checked the information_shema.tables and all of the values in the table_schema column are 'information_schema'.(whatever all of that means).
I suspect that this part does not work on localhost "table_schema=database()".
So, what's going on?
