create account

What Is SQL Injection By albro by albro

View this thread on: hive.blogpeakd.comecency.com
hive-169321 · @albro ·
$2.85
What Is SQL Injection By albro
<center>![what is SQL Injection](https://files.peakd.com/file/peakd-hive/albro/23qrSeQei4qN64ebjKhfmZx7qok5bYpvvkEELqQAUzcdAS6VC63beUGoVqSMNNSKzv8aN.jpg)</center>

<p>
    In this post, I'm going to examine attacks called SQL Injection attacks.
</p>
<h3>
    What is SQL Injection?
</h3>
<p>
    When it comes to SQL Injection, many web programmers and website administrators are afraid and think that they're dealing with a very complicated topic! So first of all I have to tell you that there is nothing to worry about. All you have to do is get rid of some bad habits and learn some new ones. In other words, we don't need any special operation and complex design, but we should write our queries in the appropriate format and based on the correct format so that they are completely safe. simply!
</p>
<p>
    Unfortunately, although preventing SQL Injection is very simple, it is still one of the most common and important reasons for website hacking in the world. Part of the blame lies with webmasters who hire programmers who want lower salaries rather than those with more expertise. Another part of the blame lies with programmers who think that by learning programming commands, they will become programmers and do not make any effort to maintain the security of a website, instead they take their rights and quickly deliver the website. Try to be ethical and do not make and sell in your job.
</p>
<p>
    Technically, SQL Injection is:
</p>
<pre><code class="language-plaintext">SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)</code></pre>
<p>
    But if I want to say in simpler language:
</p>
<pre><code class="language-plaintext">SQL Injection is an exploit of improperly formatted SQL queries. The root of this type of attack is the combination of code and data.</code></pre>
<p>
    In fact, SQL queries are a program just like PHP scripts, but the difference is that we build this program dynamically and add things to it as we go (which is usually from the user's side). In such a situation, it is natural that some codes change the structure of our program or disrupt its execution. Such a situation occurs only when we have not formatted our query correctly.
</p>
<p>
    The following image is one of the jokes of users and programmers regarding SQL Injection, which has been spread in cyberspace:
</p>

<center>![exploits of a mom](https://files.peakd.com/file/peakd-hive/albro/23tSwyU2EhygDkMuZF53gH1wmqMqK95og5iw3BsEDQ42oCghGCnL58zEYKRcZ6N8vRjhB.png)</center>

<p>
    If you have a little familiarity with SQL Injection, you will understand the joke of this picture, but if you don't understand anything, that's okay. I want to make an example about SQL Injection based on this joke! To understand this joke, you should know that SQL Injection attacks occur from the user's side and with the user's data. For example, you want the user to give you some amount. For example, in a form you ask the user age or name, or in the <code>login</code> form you ask for a user account and password, or even in the comments, you ask users for their opinion. Now suppose one of our queries is as follows:
</p>
<pre><code class="language-php">txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;</code></pre>
<p>
    The programming logic in SQL is such that the expression <code>1=1</code> is always considered true. Now suppose we ask the user to give us a value (for example, username) and instead of typing that value, the user enters the expression <code>105 OR 1=1</code> in the form. In this case, our query will look like this:
</p>
<pre><code class="language-php">SELECT * FROM Users WHERE UserId = 105 OR 1=1;</code></pre>
<p>
    Do you see what happened? Based on the assumption that <code>1=1</code> is always correct, this query is also always correct and naturally it is always executed and returns all rows from the "<code>users</code>" table!!! Now, what if the users table had users' names and passwords or other important information? In this way, a beginner hacker can get all the information of your users!!
</p>
<p>
    The same thing happened in the picture above and in the online form, instead of entering the student's name, the statement <code>Bobby' DROP TABLE users</code> was entered in the form. This statement will delete the <code>users table</code> and lose the information of all students! The following example is the same as the image above:
</p>
<pre><code class="language-php">$name  = "Bobby';DROP TABLE users; -- ";
$query = "SELECT * FROM users WHERE name='$name'";</code></pre>
<p>
    I have entered the name variable directly into the query, so this query turns into the following malicious code:
</p>
<pre><code class="language-php">SELECT * FROM users WHERE name='Bobby';DROP TABLE users; -- '</code></pre>
<p>
    Although this situation is called SQL Injection among programmers, its practical reality is an unformatted string. Our query does not have the correct structure and format, and this is the reason for deleting the entire table and this SQL Injection.
</p>
<p>
    Let's go to another example:
</p>
<pre><code class="language-php">$id    = "1; DROP TABLE users;"
$id    = mysqli_real_escape_string($link, $id);
$query = "SELECT * FROM users where id = $id";</code></pre>
<p>
    In this example, we have asked the user to give us the <code>ID</code> or <code>username</code> and we have put it in the <code>id</code> variable. Then we have cleaned it using the <code>mysqli_real_escape_string</code> function and finally it has been executed. This query becomes the following safe query:
</p>
<pre><code class="language-php">SELECT * FROM users WHERE id =1;DROP TABLE users; -- '</code></pre>
<p>
    Although the above code does not cause any danger, the discussion here is not only about whether it is dangerous or not. Imagine a boy named Leo O'Hara and he wants to enroll in the school system. If we do not correct our query format, we will encounter the following code:
</p>
<pre><code class="language-php">INSERT INTO users SET name='Leo O'Hara'</code></pre>
<p>
    Because of the sign ' in this boy's family, we encounter a grammatical error.
</p>
<p>
    &nbsp;
</p>
<p>[Hive: @albro]</p>
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and 289 others
properties (23)
authoralbro
permlinkwhat-is-sql-injection-by-albro
categoryhive-169321
json_metadata"{"app":"peakd/2023.11.3","format":"markdown","author":"albro","description":"In this post, I'm going to examine attacks called SQL Injection attacks.","tags":["programming","development","gosh","threads","chessbrothers","neoxian","stem","tricks","hive-engine","leofinance"],"users":["albro"],"image":["https://files.peakd.com/file/peakd-hive/albro/23qrSeQei4qN64ebjKhfmZx7qok5bYpvvkEELqQAUzcdAS6VC63beUGoVqSMNNSKzv8aN.jpg","https://files.peakd.com/file/peakd-hive/albro/23tSwyU2EhygDkMuZF53gH1wmqMqK95og5iw3BsEDQ42oCghGCnL58zEYKRcZ6N8vRjhB.png"]}"
created2023-12-22 12:44:18
last_update2023-12-22 12:44:18
depth0
children2
last_payout2023-12-29 12:44:18
cashout_time1969-12-31 23:59:59
total_payout_value1.440 HBD
curator_payout_value1.408 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length6,389
author_reputation30,477,419,385,789
root_title"What Is SQL Injection By albro"
beneficiaries
0.
accounthive-169321
weight200
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id129,894,437
net_rshares6,077,305,619,750
author_curate_reward""
vote details (353)
@chessbrotherspro · 
<h3>Congratulations!</h3><hr /><div class="pull-right"><img src="https://files.peakd.com/file/peakd-hive/chessbrotherspro/AJoJKGVARKHFCTHG7ee3GNkn5RMN7wixeJ52ipAgzDZ4QmeTcBdsk8hpi4pgj4e.png" alt="You have obtained a vote from CHESS BROTHERS PROJECT"/></div><div class="text-justify"><h3>✅ Good job. Your post has been appreciated and has received support from <a href="/@chessbrotherspro"><b>CHESS BROTHERS</b></a> ♔ 💪</h3><p><br>♟ We invite you to use our hashtag <b>#chessbrothers</b> and learn more <a href="/@chessbrotherspro/introducing-chess-brothers-project-the-most-innovative-community-combining-chess-fitness-and-more"><b>about us</b></a>.</p><p>♟♟ You can also reach us on our <a href="https://discord.gg/73sK9ZTGqJ" rel="noopener" title="This is going to take you to the Discord of Chess Brothers"><b>Discord server</b></a>  and promote your posts there. </p><p>♟♟♟  Consider <a href="/@chessbrotherspro/teamwork-is-worthwhile-join-the-chess-brothers-healing-trail-supporting-the-work-being-done-and-earning-rewards"><b>joining our curation trail</b></a> so we work as a team and you get rewards automatically.</p><p>♞♟ Check out our <a href="/@chessbrotherspro"><b>@chessbrotherspro</b></a> account to learn about the curation process carried out daily by our team.</p><br>🥇 If you want to earn profits with your HP delegation and support our project, we invite you to join the <i>Master Investor</i> plan. <a href="/@chessbrotherspro/master-investor-plan-or-programa">Here you can learn how to do it.</a></div><div class="text-center"><p><br>Kindly</p><p><strong><em>The CHESS BROTHERS team</em></strong></p></div>
👍  
properties (23)
authorchessbrotherspro
permlinkre-what-is-sql-injection-by-albro-20231223t065058z
categoryhive-169321
json_metadata"{"app": "beem/0.24.26"}"
created2023-12-23 06:51:00
last_update2023-12-23 06:51:00
depth1
children0
last_payout2023-12-30 06:51:00
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length1,628
author_reputation78,121,414,722,998
root_title"What Is SQL Injection By albro"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id129,919,853
net_rshares7,812,162,469
author_curate_reward""
vote details (1)
@stemsocial ·
re-albro-what-is-sql-injection-by-albro-20231223t065442824z
<div class='text-justify'> <div class='pull-left'>
 <img src='https://stem.openhive.network/images/stemsocialsupport7.png'> </div>

Thanks for your contribution to the <a href='/trending/hive-196387'>STEMsocial community</a>. Feel free to join us on <a href='https://discord.gg/9c7pKVD'>discord</a> to get to know the rest of us!

Please consider delegating to the @stemsocial account (85% of the curation rewards are returned).

You may also include @stemsocial as a beneficiary of the rewards of this post to get a stronger support.&nbsp;<br />&nbsp;<br />
</div>
👍  
properties (23)
authorstemsocial
permlinkre-albro-what-is-sql-injection-by-albro-20231223t065442824z
categoryhive-169321
json_metadata{"app":"STEMsocial"}
created2023-12-23 06:54:42
last_update2023-12-23 06:54:42
depth1
children0
last_payout2023-12-30 06:54:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length565
author_reputation22,919,337,499,097
root_title"What Is SQL Injection By albro"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id129,919,897
net_rshares7,656,681,806
author_curate_reward""
vote details (1)
Help/Feedback