Search DaniWeb - sqlia

SQLIA UNION Query 6 Years Ago by davy_yg Hello, One type of SQLIA is UNION Query and I still do not completely understand …, 1 FROM CreditCarTable What is the point of uniting the sqlia with another table which values are being kept secret? Are… SQLRand - SQLIA Prevention 6 Years Ago by davy_yg Hello, I am planning to do my Thesis on SQLIA and now I am trying to understand something about SQLrand. …SQLrand - a system for preventing SQLIA against web servers. The main intuition is that by using… Re: SQLRand - SQLIA Prevention 6 Years Ago by davy_yg … Native PHP uses ORM ? And will that be safe from SQLIA ? Prepared Statement to prevent SQLIA 6 Years Ago by davy_yg … all of them userID: tom' or '1'='1 then the SQLIA will be successful correct ? Re: Prepared Statement to prevent SQLIA 6 Years Ago by rproffitt https://www.w3schools.com/php/php_mysql_prepared_statements.asp notes SQLIA and why we use this method. As to your question, why not echo/print the query before you pass it to the actual execute()? Re: SQLIA UNION Query 6 Years Ago by Reverend Jim Unions are intended to select the same columns from different tables. You can't select different columns. Re: SQLIA UNION Query 6 Years Ago by pty Reverend Jim is correct. It may help if you say the relationship out loud; if it's a 'has many' or 'belongs to' relationship (with a foreign key) you'd typically use a `join`: * A person has zero, one or many credit cards * A credit card belongs to a person If it's a 'is very much like a' or a 'is a kind of' relationship, you probably want a… Re: SQLIA UNION Query 6 Years Ago by davy_yg Okay let's say: SELECT username, password FROM Users WHERE Id=$id by injecting the following- Id value: $id=1 UNION ALL SELECT username, passsword FROM Othertable We will have the following query: - SELECT username, password FROM Users WHERE Id=1 UNION ALL SELECT username, password FROM Othertable ----------------------- Now … Re: SQLIA UNION Query 6 Years Ago by pty http://www.sqlinjection.net/union/ Re: Preventing SQLIA 6 Years Ago by rproffitt @D, how many posts/discussions do you have open on SQLIA? My answer is too many. Re: SQLRand - SQLIA Prevention 6 Years Ago by rproffitt From your link I read: > Return a random decimal number (no seed value - so it returns a completely random number >= 0 and <1): Then I read your question about SELECT SQL and do not get how these two SQL commands/functions are related. I certainly found nothing in the SQL documentation that included both. On top of that, your … Re: SQLRand - SQLIA Prevention 6 Years Ago by pty There's an implementation of [SQLRand](https://github.com/nettrino/SQLRand) available on GitHub and you can read the original paper that proposed the idea [here](http://web1.cs.columbia.edu/~angelos/Papers/sqlrand.pdf). Personally I think the approach is over complicated and would instead opt for a *sane* ORM and coding standards that … Re: Prepared Statement to prevent SQLIA 6 Years Ago by rproffitt Q. what will prepared statement detect as a userID? A. I don't see your code so I can't tell yet. Tell more, but the article was clear enough for me. That is, it doesn't allow user input to a variable to be used in the SQL statements. Re: Prepared Statement to prevent SQLIA 6 Years Ago by davy_yg Let say : $stmt = $dbh->prepare("SELECT * FROM users WHERE userID = $id"); $stmt->bindParam(':id', $name); If I input: userID: tom' or '1'='1 What will be detected as the userID ? What will the query be like? This is taken from the article. I only add the prepared statement. Preventing SQLIA 6 Years Ago by davy_yg How to prevent Illegel/ Logically Incorrect Queries? Illegal/Logically Incorrect Queries 1)Original URL:http://www.arch.polimi.it/eventi/?id_nav=886 2)SQLInjection: http:/`/www.arch.polimi.it/eventi/?id_nav=8864' 3) Error message showed: SELECT name FROM Employee WHERE id =8864\' from the message error we can find out name of table …