Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggested SQL injection examples #45

Open
kumavale opened this issue Jul 26, 2023 · 0 comments
Open

Suggested SQL injection examples #45

kumavale opened this issue Jul 26, 2023 · 0 comments
Labels
documentation Improvements or additions to documentation

Comments

@kumavale
Copy link
Owner

kumavale commented Jul 26, 2023
edited
Loading

I think we should reconsider the number of single quotes.

In the example below, since we don't write single quotes in the query because it's a static placeholder, the attacker would start with
I'm trying to write two single quotes, but when I show it escaped with .simulate(), there are a lot of single quotes and it's hard to see.

ConcatSQL/README.md

Lines 47 to 50 in f5fa442

let passwd = String::from("'' or 1=1; --"); // User supplied input
let query = query!("SELECT name FROM users WHERE id={id} AND passwd={passwd}");
assert_eq!(query.simulate(), "SELECT name FROM users WHERE id='42' AND passwd=''''' or 1=1; --'");

Since the sentence assumed by the attacker is "passwd='" + "' or 1=1; --" + "';".
@kumavale kumavale added the documentation Improvements or additions to documentation label Jul 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kumavale