How to inject a SQL command to drop a table in java

Question

My java code for SQL Query is

String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";

I have tried out name= a'); DROP TABLE users; -- as well as place =a'); DROP TABLE users; --

but it returns an Ecxeption as below

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP TABLE users; --','chennai')' at line 1

Note: when i tried the same in mysql command line. It worked!!!! i don't know what happens in jdbc

see http://stackoverflow.com/questions/10797794/multiple-queries-executed-in-java-in-single-statement — , May 18 '17 at 05:29
Note that the issue with the + in the query can also come from some quote in the name "L'albatros" for example — , May 18 '17 at 05:31
why don't you try name = a and place = a'); drop table users; -- — D Ie, May 18 '17 at 06:20

score 2 · Accepted Answer · edited May 23 '17 at 12:26

The real problem is actually JDBC, it only allows one sql if you dont tell it otherwise. Look at this question for more info:

Multiple queries executed in java in single statement

But also i would try this instead, name =

a',''); DROP TABLE users; --

Since you specificed 3 columns in your insert:

(id,name,place)

You need to provide 3 values for the sql to be valid, not just 2.

Also you can sent the text null, sending a java null value is not necessary and i am not even sure how that works. I think this might be better:

String sqlSt="INSERT INTO users(id,name,place) values (null,'"+request.getParameter("name")+"','"+request.getParameter("place")+"');";

WoW!! Thanks ..... just added the attribute to allow multiple query in the URL it self..... worked !! — Rishikesh, May 18 '17 at 05:59

Drunken Daddy · Answer 2 · 2017-05-18T05:35:52.500

Instead of null, use an empty string ''

String sqlSt = "INSERT INTO users(id, name, place) values ('', '" + request.getParameter("name") + "',  '" + request.getParameter("place") + "');";

It's better to use prepared statements to avoid confusion.

String sqlSt = "INSERT INTO users(id, name, place) values ('', ?, ?)";
PreparedStatement ps = null;
try {
    ps = connection.prepareStatement(query);
    ps.setString(1, request.getParameter("name"));
    ps.setString(2, request.getParameter("place"));
    ps.executeUpdate();
} catch (Exception e) {
    e.printStackTrace();
} finally {
    ps.close();
}

score 0 · Answer 3 · answered May 18 '17 at 06:11

The real problem is with your Query. It is better to use a PreparedStatement for executing a query. Your Code should be :

String sqlSt="INSERT INTO users(id,name,place) values (?,?,?)";
PreparedStatement pstmt = null;
try{
pstmt = dbConnection.prepareStatement(sqlSt);
pstmt.setString(1,null);
pstmt.setString(2,request.getParameter("name"));
pstmt.setString(3,request.getParameter("place"));
pstmt.executeUpdate();
}catch (Exception e) {
    e.printStackTrace();
} finally {
    pstmt.close();
}

If you don't want to use a PreparedStatement, just remove last ; from your query. So your query will be :

String sqlSt="INSERT INTO users(id,name,place) values ("+null+",'"+request.getParameter("name")+"','"+request.getParameter("place")+"')";

How to inject a SQL command to drop a table in java

3 Answers3