https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=WoodmiOWASP - User contributions [en]2026-04-19T01:09:55ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:Testing_for_AJAX_Vulnerabilities_(OWASP-AJ-001)&diff=15281Talk:Testing for AJAX Vulnerabilities (OWASP-AJ-001)2007-01-11T20:15:22Z<p>Woodmi: </p>
<hr />
<div>I believe that publishing this SQL injection as a test method is extremely dangerous. While professional testers know not to drop tables from databases, inexperienced testers or malicious users could attempt this on sites with potentially disastrous effects.<br />
<br />
<pre><br />
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;<br />
</pre><br />
<br />
I would recommend using a more benign SQL injection example, such as:<br />
<br />
<pre><br />
SELECT id FROM users WHERE name=''or+1=1--' AND pass='';<br />
</pre><br />
<br />
This isn't the best example either as it may allow someone to log into a site, but it's better than dropping the users table. Then again, all SQL injection is dangerous.</div>Woodmihttps://wiki.owasp.org/index.php?title=Talk:OWASP_Testing_Guide_v2_Table_of_Contents&diff=15280Talk:OWASP Testing Guide v2 Table of Contents2007-01-11T20:15:04Z<p>Woodmi: added to wrong discussion page, should be on AJAX testing discussion board</p>
<hr />
<div></div>Woodmihttps://wiki.owasp.org/index.php?title=Talk:OWASP_Testing_Guide_v2_Table_of_Contents&diff=15279Talk:OWASP Testing Guide v2 Table of Contents2007-01-11T20:12:44Z<p>Woodmi: </p>
<hr />
<div>I believe that publishing this SQL injection as a test method is extremely dangerous. While professional testers know not to drop tables from databases, inexperienced testers or malicious users could attempt this on sites with potentially disastrous effects.<br />
<br />
<pre><br />
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;<br />
</pre><br />
<br />
I would recommend using a more benign SQL injection example, such as:<br />
<br />
<pre><br />
SELECT id FROM users WHERE name=''or+1=1--' AND pass='';<br />
</pre><br />
<br />
This isn't the best example either as it may allow someone to log into a site, but it's better than dropping the users table. Then again, all SQL injection is dangerous.</div>Woodmihttps://wiki.owasp.org/index.php?title=Talk:OWASP_Testing_Guide_v2_Table_of_Contents&diff=15278Talk:OWASP Testing Guide v2 Table of Contents2007-01-11T20:09:39Z<p>Woodmi: </p>
<hr />
<div>I believe that publishing this SQL injection as a test method is extremely dangerous. While professional testers know not to drop tables from databases, inexperienced testers or malicious users could attempt this on sites with potentially disastrous effects.<br />
<br />
<pre><br />
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;<br />
</pre><br />
<br />
I would recommend using a more benign SQL injection example, such as:<br />
<br />
<pre><br />
SELECT id FROM users WHERE name=''or+1=1--' AND pass='';<br />
</pre></div>Woodmi