SQL injection Contd......

Tuesday, 5 June 2018

Sql injection is must be tested in headers cookies and parameters with a single quote (') Sql injection is more important then XSS and are always find in Select, create, update and delete where sql queries run... We search for error base entries which are dealing with database must be fuzzed with sql injection and with burp scanner CRUD must not be missed out detection is more important to find new areas of detection jason request, where there is key parameter must not be ignored as they are attached to the database for exploitation.

Read the => SQL injection attack and defense notes

SQL map 
if not exploitable then reduce to likelihood but not the impact is always

suggest generic remediation and tenchologies based .net php j2ee

OWSASP guide is best to google search on this
 dynamic query 
Dynamic SQL is a programming technique that enables you to build SQL statements dynamically at runtime. You can create more general purpose, flexible applications by using dynamic SQL because the full text of a SQL statement may be unknown at compilation. For example, dynamic SQL lets you create a procedure that operates on a table whose name is not known until runtime.

Stored procedure functions persistent query 
 prepared statement 
 parameterized query (pre-compiled statement ) imp
 A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks php .net jsp is different.

Read the => SQL injection attack and defense notes