Saul Tigh Saul Tigh - 1 year ago 81
SQL Question

Can SQL injection be performed through an input like checkbox?

Can SQL injection be performed through an input like checkbox in old Mysql API and how?
Maybe it's a stupid question, but I have no idea if it's possible or not.

Answer Source

100% yes. It all comes down to your server side implementation. When you're sending the data to the server you should be performing input validation. In the case of a checkbox, it's a boolean. You should only be accepting values such as true or false, 0 or 1, checked etc. If data being sent to the server has a value that doesn't correspond to an expected value it should be tossed away, or even better the IP that sent it should be logged as this is most likely an attempt to hack your server.

With tools like fiddler, CURL or your browser (and your browser's devconsole) you could easily pass in any value to the field that represents that checkbox, thus, input validation is key on the server side.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download