ollieshmollie ollieshmollie - 15 days ago
140 0

No description

Ruby

SQL Injection Example

Embed
# A request is made to the db
u_name = value_of(text_field: 'username')
# SQL query constructor
sql_string = "SELECT * FROM users WHERE username = '" + u_name + "'"
# Hacker inserts 'or '1'='1 to textfield, with the following result:
sql_query = SELECT * FROM users WHERE username = '' or '1'='1'
# '1'='1' is always true, and the db would return the entire user table, along with emails, passwords, and possibly more.
Comments