Hello,
I am in the middle of learning about IT Security.
I wonder why sometimes people uses ASCII value for SQL injection attack? Do you know the reason why?
Why not using normal ' mark.
davy_yg 2 Posting Whiz
Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators. Moderator Featured Poster
If you are just learning IT security then you should first learn the definitions of
- ASCII
- SQL Injection Attack
before asing the question. ASCII is a mapping of bit patterns onto characters (EBCDIC and unicode are two others). SQL injection is a method of embedding unwanted (to the atackee) SQL commands in other legitimate commands. It is independent of the character encoding.
rproffitt commented: I'm going to test someone with my EBCDIC SQL INJECTION TEST next. +0
davy_yg 2 Posting Whiz
So it's not an alternative?
For instance instead of using ' (mark), you can use %27 for sql injection test?
Which is normally
Username = [" or ""=" ]
Password = [" or ""=" ]
Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators. Moderator Featured Poster
You are not protecting yourself by using a different delimiter. You protect yourself (one way) by using parameterized queries. For example, if you have a textbox on a form where a user is building a search query and the user is expected to type in a field to search for, let's say a last name, with the resulting query something like
SELECT * FROM someTable WHERE last_name = 'Jones'where Jones is entered by the user. What would happen if instead of entering Jones, the user entered Jones'; drop table someTable. In that case the resulting query would be
SELECT * FROM someTable WHERE last_name = 'Jones'; drop table someTableI may not have the syntax exactly right but you get the idea.
rproffitt commented: Always did have a fondness for "Little Bobby Drop Tables." +0
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.