Tuesday, 1 March 2011

Hack an Website ? SQL Injection ? Very simple

Hack an Website ? SQL Injection ? Very simple

Are you looking for some useful tips to improve your web projects security? In this post I suggest you some interesting points about this topic.
Hacking is very interesting topic you can improve programming skill.
SQL Injection
SQL Injection like this

Login Java Code

String userid = request.getParameter(“userid”);
String password = request.getParameter(“password”);
connection = DriverManager.getConnection(“jdbc:odbc:projectDB”);query = “SELECT * FROM Users WHERE user_id =’” + userid + “‘ AND password =’” + password +”‘”;

PreparedStatement ps = connection.prepareStatement(query);
ResultSet users = ps.executeQuery();
//some thing here

Injection Works like this

query = “SELECT * FROM Users WHERE user_id =” OR 1=1; /* AND password =’*/–’”;
Login PHP Code;
Username = ‘ OR 1=1;//
Password = ….
$mypassword=$_POST['pwd'];$sql=”SELECT * FROM users WHERE user=’$myusername’ and password=’$mypassword’”;

//some code
else {

Injection Works like this

$sql=”SELECT * FROM users WHERE user=”OR 1 = 1;//’ and password=’….’”;
How to avoid these mistakes Use addSlashes() function adding slashes(/) to the string in java and php
//Java Code
addSlashes(String userid);// PHP Code

Hacker is intelligent than programmer. So always hide the file extension (eg: *.jsp,*.php,*.asp).
http://xyz.com/login.php to http://xyz.com/login
http://xyz.com/login to http://xyz.com/signin.do
In Java redirect this URL links using Web.xml file and inn php write .htaccess file in root directory.