SQL injection vulnerability to add more balance?

Question

Let's say I have this SQL statement:

stmt.executeUpdate("INSERT INTO TUNEUSER (USERNAME,PASSWORD,BALANCE) VALUES ('"
        + daf.getString("username")
        + "','"
        + daf.getString("password")
        + "',0.00)");

and the application has a username and password field.

How can SQL injection be used to increased the balance from "0.00" to whatever you want?

By injecting code to modify that SQL statement. Do you understand what SQL injection is and how it works? — David, Feb 10 '16 at 18:58

Olivier De Meulder · Answer 1 · 2016-02-10T19:11:56.047

1

Set the password to something like this:

mypassword', 1000); --

edited Feb 10 '16 at 19:11

answered Feb 10 '16 at 18:58

Olivier De Meulder

2,493
3
25
30

SQL injection vulnerability to add more balance?

1 Answers1