Suppose you have the following SQL Query to create a table called notes and store data in it :
CREATE TABLE notes (
id INTEGER PRIMARY KEY,
username TEXT,
token TEXT,
text TEXT
);
INSERT INTO notes (username, token, text) VALUES ('alice', 'token-a', 'Reminder: buy milk');
INSERT INTO notes (username, token, text) VALUES ('alice', 'token-a', 'I like Bob');
INSERT INTO notes (username, token, text) VALUES ('bob', 'token-b', 'TODO: write tests');
Now to attempt SQL injection to get all alice's notes without knowing her token where the query to get the data is given as :
'''SELECT text
FROM notes
WHERE token = '%s'
''' % token
What should be the text send in the variable token so as to perform SQL injection and get all alice's notes.
Try Something like this-
';SELECT text
FROM notes
WHERE username = 'alice
SQL Injection can be implemented by concatenating the SQL statement with the input parameters. For example, the following statement is vulnerable to SQL Injection:
String statement = "SELECT ID FROM USERS WHERE USERNAME = '" + inputUsername + "' AND PASSWORD = '" + hashedPassword + "'";
An attacker would enter a username like this:
' OR 1=1 Limit 1; --
Thus, the executed statement will be:
SELECT ID FROM USERS WHERE USERNAME = '' OR 1=1 Limit 1; --' AND PASSWORD = 'Blob'
Hence, the password part is commented, and the database engine would return any arbitrary result which will be acceptable by the application.
I found this nice explanation on the free preview of "Introduction to Cybersecurity for Software Developers" course.
https://www.udemy.com/course/cybersecurity-for-developers-1/
It also explains how to prevent SQL Injection.
Related
In my spring boot application in REQUEST i post streamName and in response I get key. I'm putting this into a database and I want to avoid repeating stream names. My plan is to add such query to the insertStream method and when it returns null value, i.e. there is no such name in the database, then INSERT will be performed. Unfortunately I do not know how to implement this in the code.
This is my method:
#Override
public int insertStream(String key, String streamName) {
String sql = "" +
"INSERT INTO stream (" +
" stream_name, " + " license_key )" + "VALUES (?,?)";
return jdbcTemplate.update(
sql,
streamName,
key
);
}
and this is mention example query:
SELECT count(*) FROM public.stream WHERE stream_name='live2';
but instead of live2 it will be streamName parameter
you can use upsert in postgrsql
add a unique constraint to the stream_name column
CREATE UNIQUE INDEX unq_stream_name on stream(stream_name);
ALTER TABLE stream
ADD CONSTRAINT unq_stream_name_const
UNIQUE USING INDEX unq_stream_name;
then do upsert:
insert into stream (stream_name, license_key)
values (?,?) on conflict do nothing;
if the stream_name already exists , nothing will be inserted.
I am looking how to create basic queries from Cloud SQL using App Script.
q1: "SELECT id FROM users WHERE name = 'some name';"
q2: "UPDATE users SET name = 'other name' WHERE id = 1;"
q3: "DELETE FROM users WHERE id = 1;"
I can read the entire table and insert data, however i cannot find the documentation on the google docs site for these types of queries.
I have tried using the query filter however it returns a bool not the ID INT, I am looking for.
var id =app.datasources.Users.query.filters.name._equals == "some name";
app.Pages.Page1.decendents.label1.text = id;
:>> Type mismatch: Cannot set type Boolean for property text. Type String is expected
Note: Users table sql equivelent (id INT AUTO_INCREMENT, name VARCHAR(64), PRIMARY KEY(id))
Your query server script syntax is wrong. Try
var query = app.models.Users.newQuery(); //new query
query.filters.name._equals = "some name"; //Note single`=`;
var records = query.run(); //run the query
app.Pages.Page1.decendents.label1.text = records[0].id;
To Read:
Query#run
I am trying to insert data with the query
UPDATE CONTACTS SET internationalmsisdn = +904562038544 WHERE id = 31328
After executing query, the internationalmsisdn column is shown as 904562038544.
Why do I lost + sign ?
Any idea?
To insert a special character as a string you need to have the column type as varchar and pass the values as ,
UPDATE CONTACTS SET internationalmsisdn = '+904562038544' WHERE id = 31328
Hope this helps !!
I am having a class in computer security and are having a little trouble with the syntax when doing a sql injection on a local machine that we are suppose to hack.
below is the syntax of the sql syntax.
SqlCommand sqlc = new SqlCommand("SELECT Record FROM Table_Users WHERE Username='" + username + "' AND Password='" + password + "'");
We are trying the following in the login (username) field and ' or '1'='1 in the password
;INSERT Table_Users (Username, Password) VALUES ('hejsan', 'glenn');
But am getting a syntax error "Incorrect syntax near 'hejsan'."
Can you see the syntax error? =)
My first take was to have
INSERT INTO Table_Users instead of INSERT Table_Users but as the poster noted INTO is optional(in MSSQL in contrast to the standard ANSI SQL).
On second thought depending on what the data type your columns are the query could work by appending N in front of the values as per What is the meaning of the prefix N in T-SQL statements?
try
';INSERT Table_Users (Username, Password) VALUES ('hejsan', 'glenn');
-> you need to close the ' after Username=.
In this case you don't even need a value for the password field.
You could put -- after your injected statement to cancel the rest of the select statement:
';INSERT Table_Users (Username, Password) VALUES ('hejsan', 'glenn');--
maybe something with the quotes?
var password = "';INSERT Table_Users (Username, Password) VALUES (''hejsan'', ''glenn''); select '";
I've got tables like the following (Django model definition, with a postgres database underlying it):
class Person(models.Model):
id = models.IntegerField(primary_key=True)
name = models.CharField(max_length=300)
class Owner(models.Model):
id = models.IntegerField()
person = models.ForeignKey(Person)
I use a Python script to set up my database from CSV files. The raw files list Owners with an integer id and an integer 'person' field, which maps to the integer in Person.id.
However, given that the 'person' column in Owner expects a Person object, how do I write a raw SQL string to insert value into Owner?
owner_id = 665
person_id = 330
sql_string = 'INSERT INTO owner (id, person) VALUES (' +
sql_string += owner_id + ', ' + ???? + ');'
You don't say why you need to do this in raw SQL. And I also don't understand why you're using structidx and person in the SQL when your PK field is called id - and the underlying column name for person is person_id. So your code should be:
sql_string = "INSERT INTO owner (`id`, `person_id`) VALUES (%s, %s)"
cursor = connection.cursor()
cursor.execute(sql_string, (665, 330))
Note that it's always good practice to use the Python db-api's quoting functionality, as I have here, to avoid SQL injection attacks.