A little question about Sql Injection in SP.
Posted by:
Ming Yeung
Date: January 12, 2006 06:14AM
Hi,
I just had some tests with sql injection.
Here are two different statements in the stored procedures do the same work, where inUsername and inPassword are IN parameters:
1st:
SELECT * FROM user WHERE username = inUsername AND password = inPassword;
2nd:
SET @sql = CONCAT("SELECT * FROM users WHERE username ='", inUsername, "' AND password='", inPassword, "'");
PREPARE STMT FROM @Sql;
EXECUTE STMT;
If users input: ' OR username='abc' -- for the username. The 2nd statement will occur a sql injection while 1st statement will not.
My question is ... what are the differences between them? Why the 1st statement does not need single quotes ?
Regards,
Ming
Subject
Views
Written By
Posted
A little question about Sql Injection in SP.
2240
January 12, 2006 06:14AM
1576
January 12, 2006 09:30AM
1739
January 12, 2006 10:32AM
1807
January 12, 2006 02:13PM
1459
January 13, 2006 07:43AM
1407
January 13, 2006 07:52AM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.