This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:OWASP Testing Guide v2 Table of Contents"
From OWASP
| Line 10: | Line 10: | ||
SELECT id FROM users WHERE name=''or+1=1--' AND pass=''; | SELECT id FROM users WHERE name=''or+1=1--' AND pass=''; | ||
</pre> | </pre> | ||
| + | |||
| + | This isn't the best example either as it may allow someone to log into a site, but it's better than dropping the users table. Then again, all SQL injection is dangerous. | ||
Revision as of 20:12, 11 January 2007
I believe that publishing this SQL injection as a test method is extremely dangerous. While professional testers know not to drop tables from databases, inexperienced testers or malicious users could attempt this on sites with potentially disastrous effects.
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
I would recommend using a more benign SQL injection example, such as:
SELECT id FROM users WHERE name=''or+1=1--' AND pass='';
This isn't the best example either as it may allow someone to log into a site, but it's better than dropping the users table. Then again, all SQL injection is dangerous.
