SQL Injection, Java perspective
Jumat, 07 Juni 2013
0
komentar
Here are my two cents from Java Perspective.
The principal behind SQL injection is pretty simple. When an application takes user data as an input, there is an opportunity for a malicious user to enter carefully crafted data that causes the input to be interpreted as part of a SQL query instead of data.
For example, imagine this line of code:
SELECT * FROM Users WHERE Username='$username' AND Password='$password'
which is designed to show all records from the table "Users" for a username and password supplied by a user. Using a Web interface, when prompted for his username and password, a malicious user might enter:
1' or '1' = '1
1' or '1' = '1
resulting in the query:
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
The hacker has effectively injected a whole OR condition into the authentication process. Worse, the condition '1' = '1' is always true, so this SQL query will always result in the authentication process being bypassed.
PreCautions :
# Always use java.sql.preparedStatement instead of Statement
# If you project is using EQL instead of SQL, then more safe.
as this has to be translated yet again from EQL to SQL, which gives more opportunity for the intervening software (JPA and the JDBC driver) opportunity to prevent a SQL injection from happening.
This explained in detail @ http://www.cisco.com/web/about/security/intelligence/sql_injection.html
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
Cheat SHEET -> https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Read more on SQL Injection @ https://www.owasp.org/index.php/SQL_Injection
# Always use java.sql.preparedStatement instead of Statement
as this has to be translated yet again from EQL to SQL, which gives more opportunity for the intervening software (JPA and the JDBC driver) opportunity to prevent a SQL injection from happening.
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: SQL Injection, Java perspective
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke http://apk-zipalign.blogspot.com/2013/06/sql-injection-java-perspective.html. Terima kasih sudah singgah membaca artikel ini.Ditulis oleh Unknown
Rating Blog 5 dari 5
0 komentar:
Posting Komentar