Sql injection is must be tested in headers cookies and parameters with a single quote (') Sql injection is more important then XSS and are always find in Select, create, update and delete where sql queries run... We search for error base entries which are dealing with database must be fuzzed with sql injection and with burp scanner CRUD must not be missed out detection is more important to find new areas of detection jason request, where there is key parameter must not be ignored as they are attached to the database for exploitation.
************************
Read the => SQL injection attack and defense notes
*****************************************
SQL map
if not exploitable then reduce to likelihood but not the impact is always
Remediation
suggest generic remediation and tenchologies based .net php j2ee
OWSASP guide is best to google search on this
dynamic query
Dynamic SQL is a programming technique that enables you to build SQL statements dynamically at runtime. You can create more general purpose, flexible applications by using dynamic SQL because the full text of a SQL statement may be unknown at compilation. For example, dynamic SQL lets you create a procedure that operates on a table whose name is not known until runtime.
Stored procedure functions persistent query
prepared statement
parameterized query (pre-compiled statement ) imp
A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks php .net jsp is different.
************************
Read the => SQL injection attack and defense notes
*****************************************
0 comments:
Post a Comment