Re: about SQL injection

[Mert Eren ÜSTÜNKAYA <mustunkaya () cepdunyasi com>]

Hi,


If you used sa acount on connecting to jdbc/odbc or whatever. It is possible 
that your db is owned right now.
just he/she needs  the table ,db names.

select * from xxx where id='

when concat with the input field

2' or 1=1; delete from xxx -- 


Example:

select * from xxx where id='2' or 1=1; delete from xxx -- 

// can delete all the data from the table xxx

-if you used 'sa' the dude can create even databases.drop databases etc.
-can be used for  information gathering
-if you hold the passwords not encrypted the passwords for the users may be 
used in other places like their email address..

these are the first ones get into my mind..


Sign:
"There is no patch for human stupidity" 



---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------