sql - why is this prepare statement vulnerable -


i learning sql-injection , understand prepare statement can protect against it. had example below 1 of vulnerable usage of prepare statement there no explanation on why. below code

preparedstatement psproblem =connection.preparestatement( "select user,password,    tbl_user," + userinput.addtablename + " (user=?)" ); 

any sql statement unsanitized user input vulnerable same reason: user can input string terminate sql early, , replace sql of own.

for example, entering tbl_user 1=0; drop table tbl_user;-- drop user table: resultant sql this:

select user,password, tbl_user,tbl_user 1=0; drop table tbl_user;--where (user=?) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  ^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^      |                                                    |                  | original query nothing because of condition |                  |                                                           |                  |                                                  attack payload          |                                                                              |                                                            commented out portion 

Comments

Popular posts from this blog

css - Which browser returns the correct result for getBoundingClientRect of an SVG element? -

gcc - Calling fftR4() in c from assembly -

.htaccess - Matching full URL in RewriteCond -