- is a technique that exploits a security vulnerability occurring in the database layer of an application.
- Also known as “magic word” or “code string”
- Contoh magic word : 1' or '1'='1
Langkah - langkah nak buat sql injection :
- sebelum buat, check dulu website nak hack
- sql injection - selalunya hack pada application level atau server level
- masukkan magic word kat login/password dan username sekali (klu perlu)
How to protect website from sql injection
Cth: username : 1' or '1'='1
password : 1' or '1'='1
Cara
- if......else statement bhg login - tujuan: check valiable $name contain " ' " dan reject klu ada single code " ' "
IF ($name = "1' or '1'='1") {break;} - sebelum sql statement
- escape " ' " single code
- parameter statement - setkan saiz username dan password
- username tukar dengan guna email address
No comments:
Post a Comment