SQL Injection Guide In Java (or any other language)

Question

I have a jsp code which has a query like

'select * from MyTable where

Column1='+request.getParameter('q'),

which is executed from a

java.sql.Statement. Now, provided we can append the query by using the

request parameter, my target is to change the query to something like:

Select * from MyTable where Column1 = a; Delete from MyTable;

since the original select query is executed through java.sql.Statement,

how can we do such sql injection ? If the question is not clear, kindly

comment, I'll try to provide further explanations.

See: http://stackoverflow.com/questions/1582161/how-does-a-preparedstatement-avoid-or-prevent-sql-injection or http://stackoverflow.com/questions/1812891/java-escape-string-to-prevent-sql-injection — MicSim, Aug 17 '12 at 06:59
no actually i needed a guide which would be specific to this case. — Ranjan Sarma, Aug 17 '12 at 06:59

score 2 · Answer 1 · edited May 23 '17 at 12:33

2

SQL Injection Guide: Link1 & Link2 ,but there are so many relevant threads in Stackoverflow regarding SQL Injection like Q & A .

Do one thing,search by -> sql injection java stackoverflow

edited May 23 '17 at 12:33

Community

1
1

answered Aug 17 '12 at 07:20

big zero

610
2
8
16

score 1 · Answer 2 · answered Aug 17 '12 at 06:59

if we inject q as a anything' OR 'x'='x then it will select all the column which can be vulnerable. as because variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver

Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks.

Vlad Mihalcea · Answer 3 · 2018-01-06T10:29:04.197

Check out this article, which explains how the Statement and PreparedStatement, as well as executeQuery() and executeUpdate() behave when it comes to SQL Injection.

Apart from the classic DROP tables, there are more scenarios to watch out, like:

call a sleep function so that all your database connections will be busy, therefore making your application unavailable
extracting sensitive data from the DB
bypassing the user authentication

And it's not just SQL that can b affected. Even JPQL can be compromised if you are not using bind parameters.

Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose:

SQL Injection Guide In Java (or any other language)

3 Answers3