SQL Injection

 If we use the Statement object to send the query then SQL Injection will happen 


SQLInjection

==========

users

username    upwd

sachin        tendulkar

virat             kohli


eg:

select count(*) from users where username ='"+uname+"'" and upwd =' "+upwd+"'";

username = 'sachin'

password = 'tendulkar'

Query nature

select count(*) from users where username ='sachin' and upwd =' tendulkar' ";

validation is succesful and given the authentication


eg:

select count(*) from users where username ='"+uname+"'" and upwd =' "+upwd+"'";

username = 'sachin'--

password = 'tendulkar'

Query nature

select count(*) from users where username ='sachin'-- and upwd ='tendulkar'

";

validation is succesfull and given the authentication


Note:

1. -- Single line sql comment

2. /*

Multiline sql comment

*/

If we use Statement Object to send the Query, then the problem of SQLInjection will

happen.

eg: Statement stmt = con.createStatement();

String query = "select count(*) from users where username

='"+uname+"'" and upwd =' "+upwd+"'";

ResultSet resultSet =stmt.executeQuery(query);                                                                                                        |                                                                                                                                                                    |DB: select count(*) from users where username ='"+sachin'-- ";                                                                |

count(*) = 1 (validation is successful give authentication)


if we use PreparedStatement Object to send the Query, then the problem of

SQLInjection will not happen.

eg: String query = "select count(*) from users where username =? and upwd

=?";


PreparedStatement pstmt = con.prepareStatement(query);

pstmt.setString(1,"sachin'--");

pstmt.setString(2,"tendulkar");

ResultSet resultSet =pstmt.executeQuery()                                                                                                                |                                                                                                                                                                    | for compilation using PreparedStatement                                                                                                    |                                                                                                                                                            DB: select count(*) from users where username =? and upwd =?;                                                                    |                                                                                                                                                                    |                                                                                                                                                            select count(*) from users where username ='sachin'--' and upwd='tendulkar';                                                    |                                                                                                                                                            count(*) => 0 (validation not succesfull so no authentication)

Note: In real time database used in production envrionment is "Oracle", only during

development phase we

use "MySQL" database.

In MySQLDatabase, we can't perform "SQLInjection" through comments,it

happens only in "OracleDatabase".

Comments

Post a Comment

Popular posts from this blog

Advantages and Disadvantages of Monolithic Architecture

 Benefits of going for Monolith Architecture  Simple for development(becoz all are available in single project): At initial time it is very easy.   Easy for Testing : End to End Testing we can perform.   Easy for deployment : One war file only we have to deploy to server.   Easy for Scaling : multiple server we can spin easily(horizontal/vertical scaling) if requests increases then we can make keep multiple servers through which the scaling can be done to provide good responses to the client.  Disadvantages of Monolith Architecture  Maintenance of the application: If the application is to large and complex, it is difficult to understand. Change Request in the code is very difficult. Some changes in the existing application will have an impact to the other code, Lot of Impact Analysis will occur.   Adapting to New Technology is required: Change in java version and adapting to the version change also will take time. Applicati...
Read more

Monolithic Architecture

Image
 Monolithic Architecture In our application, we will have several modules and several components are also available. Components are 1. Presentation Components These are responsible for handling Http Requests. Web applications means front end pages, Distributed applications means Rest Clients. 2. Web Components Responsible to handle user requests.(Servlets basically handles the Requests). 3. Business Components  Responsible to handle the business logic as per the business deals. 4. Persistence Components DAO is responsible for performing DB operations like DML,DDL,TCL,.... 5. Integration Components(Webservices, RestFul Services) Two projects can talk to each other only when we have Integration logic(basically RestfulServices, WebServices,...). 6. Authorization Components Responsible for Authorizing the user. 7. Notification Components Responsible for sending email or mobile message notifications. If we develop all these components as a single project then it is called as " Mono...
Read more

Eclipse debugging

Image
 Eclipse Debugging ================= Debugging is a process of getting step by step by execution in an application to find out problem/bugs and fix them as needed. Terminologies associated with Debugging a. Bugs => Problem/defect/mistake in the app/program/project[some abnormality in the application execution] Debug = > De + bug [Rectifiying the bug by identifying and Analyzing the bug] The tools or programm or software that can be used for debugging is called "Debugger"/Debugging tool To debug java code we have two tools a. JDB(Supplied by jdk tools with jdk installation) => available inside <java_home>\bin directory as jdb.exe => it is CUI tool and not so popular(Not industry standard) b. IDE supplied Debugger => Eclipse/Intelij/EclipseLink and etc ... IDE supplied Debuggers => These are GUI and they are user friendly => These are industry standard Where Debugging is required in the company? a. To find,analyze and fix logic problems/errors b. if u...
Read more