![]() ![]() Logically we will not have any login called “\”, therefore the person’s injection will be blocked. SELECT * FROM sec_users WHERE login = ‘\’ OR 1=1 - ‘ AND pswd = ”īring me everything from the sec_users table where the login equals \ or 1 is equal to 1 and ignores everything to the right of the remainder comments. So before without using the macro “sc_sql_injection” our code was open to interpretations, now with the use of the macro correctly, Scriptcase quickly realized that an abnormal value was being injected and placed a backslash before the value of the login field, This way the validation of the select would be: Sc_select(rs, “SELECT * FROM sec_users WHERE login = ‘)) This is responsible for the safety of our input fields against the famous sql injection.īelow we can see how the select behaves in relation to the data inserted in the input, using this select: Among all these macros we can find the macro “sc_sql_injection”. How to protect yourself from the well known SQL InjectionĪs everyone has seen in the previous post SQL Injection is the name given to manipulating SQL data through input objects.įrom now on you will learn how to defend yourself from this deface in and out of our beloved Scriptcase.įew people know about it, but the scriptcase has a list of macros that allow the user to manipulate events, application buttons, security controls, perform operations with dates, etc. Understanding what SQL Injection is will help you to get the most out of this post below. ![]() If you have not yet read the post about “SQL Injection: Injecting Data from Inputs”, we advise you to take a look at it before keep reading this one. But How to Defend? Check it out Now in this Part 2 post! ![]() SQL Injection is the name given to manipulating SQL data through input objects. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |