The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 444 445 446 447 448 449 450 451 ... 875

Bog'liq
3794 1008 4334

INSERT Statements

INSERT

statements are used to create a new row of data within a table. They are

commonly used when an application adds a new entry to an audit log, creates

a new user account, or generates a new order.

For example, an application may allow users to self-register, specifying their

own username and password, and may then insert the details into the

users

table with the following statement:

INSERT INTO users (username, password, ID, privs) VALUES (‘daf’,

‘secret’, 2248, 1)

If the

username

password

field is vulnerable to SQL injection, then an

attacker can insert arbitrary data into the table, including his own values for

and

privs

. However, to do so he must ensure that the remainder of the

VALUES

clause is completed gracefully. In particular, it must contain the correct num-

ber of data items of the correct types. For example, injecting into the

username

field, the attacker can supply the following:

foo’, ‘bar’, 9999, 0)--

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 444 445 446 447 448 449 450 451 ... 875