SQL injection Security Testing
SQL injection attacks occur when data received from the html forms is not sanitized properly. In this type of attack, attacker tries to execute the manipulated SQL queries on the victim’s database. For example – Most of the websites will execute below query to see if the user exists in the database with given password.
Select count(*) from users where id=’xyz’ and password =’***’
If the count is greater than 1, user will get logged in successfully.
Just imagine what will happen if we enter below term in the password.
New query will become as below
Select count(*) from users where id=’xyz’ and password =’ ‘ or ‘1’=’1’
As you can see in above query, it will always return count greater than 1 and User will be logged into the website.
SQL injection examples
SQL injection attacks can be carried out by firing SQL queries appended with below terms.
1. Or 1=1
2. Or 1=1–
Preventing the SQL injection attacks
We can easily prevent the SQL injection attacks by following below techniques.
- Use parameterized queries
- Sanitize the input data submitted by users
Web development and Automation testing