sql - why is this prepare statement vulnerable -
i learning sql-injection , understand prepare statement can protect against it. had example below 1 of vulnerable usage of prepare statement there no explanation on why. below code
preparedstatement psproblem =connection.preparestatement( "select user,password, tbl_user," + userinput.addtablename + " (user=?)" );
any sql statement unsanitized user input vulnerable same reason: user can input string terminate sql early, , replace sql of own.
for example, entering tbl_user 1=0; drop table tbl_user;-- drop user table: resultant sql this:
select user,password, tbl_user,tbl_user 1=0; drop table tbl_user;--where (user=?) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^ | | | original query nothing because of condition | | | | attack payload | | commented out portion
Comments
Post a Comment