Skip to content
Advertisement

Tag: sql-injection

Escaping user input necessary if using json_encode?

If I take some input from a user in $_POST and json_encode it and put it in the query Is this prone to SQL injection? Does this input needs to be escaped? In my tests, I couldn’t run any queries with input like but I’m not even remotely good at this. PS – This is a test for learning. I’m

what’s the meaning of ‘admin’ OR 1=1 — ‘

The following query return all the passwords in the table tbl_user but I can not understand why this is happening. Please help me to understand this part of the query: ‘admin’ OR 1=1 — ‘ Can you introduce other threats like this (website, book, etc)? Answer This is a classic SQL injection. See this fiddle while I explain it: SQLfiddle

Blind SQL Injection using acunetix

I’m using acunetix to test my website. The problem is with this script http://boedesign.com/blog/2007/02/18/ajax-star-rating/ acunetix doesn’t show any message, but when I test for blind SQL I can get values like in the rating_id mysql column, I want to only allow numbers in there, so I made a little fix but since the first number is 8 its passing trough

Advertisement