SQL Injection Testing Tutorial (Example and Prevention of SQL Injection Attack)

By Vijay

By Vijay

I'm Vijay, and I've been working on this blog for the past 20+ years! I’ve been in the IT industry for more than 20 years now. I completed my graduation in B.E. Computer Science from a reputed Pune university and then started my career in…

Learn about our editorial policies.
Updated June 23, 2024

SQL Injection Examples and Ways to prevent SQL Injection Attacks on Web Applications

While testing a website or a system, the tester’s aim is to ensure that the tested product is protected, as much as possible.

Security Testing is usually performed for this purpose. Initially, in order to perform this type of testing, we need to consider, which attacks are most likely to happen. SQL Injection is one of those attacks.

SQL Injection is considered as one of the most common attacks as it can bring serious and harmful consequences to your system and sensitive data.

SQL Injection Attach Example and Prevention

What is SQL Injection?

Some of the user inputs might be used in framing SQL Statements which are then executed by the application on the database. It is NOT possible for an application to handle the inputs given by the user properly.

If this is the case, a malicious user could provide unexpected inputs to the application that are then used to frame and execute SQL statements on the database. This is called SQL Injection. The consequences of such an action could be alarming.

As the name itself implies, the purpose of the SQL Injection attack is to inject the malicious SQL code.

Each and every field of a website is like a gate to the database. In the login form, the user enters the login data, in the search field the user enters a search text, and in the data saving form, the user enters data to be saved. All the indicated data goes to the database.

Instead of correct data, if any malicious code is entered, then there is a possibility for some serious damage to happen to the database and the whole system.

SQL Injection is performed with the SQL programming language. SQL (Structured Query Language) is used for managing the data held in the database. Therefore during this attack, this programming language code is being used as a malicious injection.

This is one of the most popular attacks, as databases are used for almost all technologies.

Most of the applications use some type of database. An application under test might have a user interface that accepts user input that is used to perform the following tasks:

#1) Show the relevant stored data to the user e.g., the application checks the credentials of the user using the login information entered by the user and exposes only the relevant functionality and data to the user.

#2) Save the data entered by the user to the database e.g. once the user fills up a form and submits it, the application proceeds to save the data to the database; this data is then made available to the user in the same session as well as in the subsequent sessions.


Recommended Tool

#1) Intruder

Intruder Logo

Intruder is a powerful vulnerability scanner that finds cybersecurity weaknesses in your digital estate, explains the risks, and helps with remediation before a breach can occur. Running over 140,000 security checks, Intruder scans your systems for weaknesses such as SQL injection, cross-site scripting, missing patches, misconfigurations, and more.

Using the same best-in-class scanning engines as big banks and government agencies, Intruder removes the hassle of vulnerability management, so you can focus on what truly matters. It saves time by prioritizing results based on their context as well as proactively scanning your systems for the latest vulnerabilities so that you can stay ahead of attackers.

Intruder integrates with all the major cloud providers as well as apps and integrations like Slack and Jira.


Risks of SQL Injection

Nowadays, a database is being used for almost all systems and websites, as data should be stored somewhere.

As sensitive data is being stored in the database, there are more risks involved in the system’s security. If any personal website or blog’s data were stolen, then there wouldn’t be much damage when compared to the data that would be stolen from the banking system.

The main purpose of this attack is to hack the system’s database, therefore this attack’s consequences can really be harmful.

The following things might result from SQL Injection

  • Hacking other person’s account.
  • Stealing and copying website’s or system’s sensitive data.
  • Changing the system’s sensitive data.
  • Deleting system’s sensitive data.
  • The user can log in to the application as another user, even as an administrator.
  • Users can view private information belonging to other users e.g., details of the other users’ profiles, transaction details, etc.
  • The user could change the application configuration information and the data of the other users.
  • The user could modify the structure of the database; and even delete tables in the application database.
  • The user can take control of the database server and execute commands on it at will.

The above-listed risks can really be considered serious, as restoring a database or its data can cost a lot. It can cost your company a reputation and money to restore lost data and systems.

Therefore it is highly recommended to protect your system against this type of attack and consider Security Testing as a good investment in your product’s and company’s reputation.

As a tester, I would like to comment, that testing against possible attacks is a good practice even if Security Testing was not planned. This way you can protect and test the product against unexpected cases and malicious users.

The Essence of this Attack

As mentioned earlier, the essence of this attack is to hack the database for malicious purposes.

In order to perform this Security Testing, initially, you need to find the vulnerable system parts and then send malicious SQL code through them to the database. If this attack is possible for a system, then appropriate malicious SQL code will be sent and harmful actions may be performed in the database.

Each and every field of a website is like a gate to the database. Any data or input that we usually enter into any field of the system or website goes to the database query. Therefore, instead of correct data, if we type any malicious code, then it may be executed in the database query and bring harmful consequences.

In order to perform this attack, we have to change the act and purpose of the appropriate database query. One possible method to perform it is to make the query always true and insert your malicious code after that. Changing the database query to always true can be performed with simple code like ‘ or 1=1;–.

Essence of SQL Injection

Testers should keep in mind, that while checking if changing the query to always true can be performed or not, different quotes should be tried – single and double. Therefore, if we have tried code like ‘ or 1=1;–, we should also try the code with double quotes “ or 1=1;–.

Essensce of SQL Injection

For example, let’s consider that we have a query, that is searching for the entered word in the database table:

select * from notes nt where nt.subject = ‘search_word‘;

Therefore instead of the search word, if we enter a SQL Injection query ‘ or 1=1;–, then the query will always become true.

select * from notes nt where nt.subject = ‘ ‘ or 1=1;–

In this case, the parameter “subject“ is closed with the quote and then we have code or 1=1, which makes a query always true. With the sign “–“ we comment on the rest of the query code, which will not be executed. It is one of the most popular and easiest ways to start controlling the query.

Few other codes may also be used to make the query always true, like:

  • ‘ or ‘abc‘=‘abc‘;–
  • ‘ or ‘ ‘=‘ ‘;–

The most important part here is that after the comma sign, we can enter any malicious code that we would like to be executed.

For Example, it may be ‘ or 1=1; drop table notes; —

Drop Table Notes

If this injection is possible, then any other malicious code may be written. In this case, it will only depend on the malicious user’s knowledge and intention. How to Check SQL Injection?

Checking for this vulnerability can be performed very easily. Sometimes it is enough to type ‘ or “ sign in the tested fields. If it returns any unexpected or extraordinary message, then we can be sure that SQL Injection is possible for that field.

For Example, if you get an error message like ‘Internal Server Error‘ as a search result, then we can be sure that this attack is possible in that part of the system.

Other results that may notify a possible attack include:

  • The blank page is loaded.
  • No error or success messages – functionality and page do not react to the input.
  • Success message for malicious code.

Let’s look around at how this works in practice.

For Example, Let’s test if an appropriate login window is vulnerable to SQL Injection. In the email address or password field, just type sign in as shown below.

Email Address

If such input returns result like error message ‘Internal Server Error‘ or any other listed inappropriate result, then we can almost be sure that this attack is possible for that field.

Internal Server Error

A very tricky SQL Injection code may also be tried. I would like to mention, that in my career I have not encountered any cases when there was an ‘Internal Server Error’ message as a result of the sign, but at times the fields did not react to more complicated SQL code.

Therefore, checking for SQL Injections with a single quote ‘ is quite a trustworthy way to check if this attack is possible or not.

If the single quote does not return any inappropriate results, then we can try to enter double quotes and check the results.

Single Quote

Also, SQL code for changing the query to always true can be considered as a way to check if this attack is possible or not. It closes the parameter and changes the query to ‘true‘. Therefore if not being validated, such input can also return any unexpected result and inform the same, that this attack is possible in this case.

Essensce of SQL Injection

Checking for possible SQL attacks can also be performed from the website’s link. Suppose we have a website‘s link as http://www.testing.com/books=1. In this case ‘books‘ is a parameter and ‘1‘ is its value. If in the provided link we would write ‘ sign instead of 1, then we would check for possible injections.

Therefore link http://www.testing.com/books= will be like a test if the SQL attack is possible for the website http://www.testing.com or not.

Testing Link

In this case, if link http://www.testing.com/books= returns an error message like ‘Internal Server Error‘ or a blank page or any other unexpected error message, then also we can be sure that SQL Injection is possible for that website. Later, we can try to send more tricky SQL code through the website’s link.

To check if this attack is possible through the website’s link or not, code like ‘ or 1=1;– can also be sent.

Testing Links

As an experienced software tester, I would like to remind, that not only the unexpected error message can be considered as a SQL Injection vulnerability, but many testers check for possible attacks only in accordance with error messages.

However, it should be remembered that no validation error message or successful message for malicious code can also be a sign that this attack could be possible.

Security Testing of Web Applications Against SQL Injection

Security testing of web applications explained with simple examples:

Since the consequences of allowing this vulnerability technique could be severe, it follows that this attack should be tested during the security testing of an application. Now with an overview of this technique, let us understand a few practical examples of SQL injection.

Important: This SQL Injection Test should be tested only in the test environment.

If the application has a login page, it is possible that the application uses dynamic SQL such as the statement below. This statement is expected to return at least a single row with the user details from the Users table as the result set when there is a row with the username and password entered in the SQL statement.

SELECT * FROM Users WHERE User_Name = ‘” & strUserName & “‘ AND Password = ‘” & strPassword & “’;”

If the tester would enter John as the strUserName (in the textbox for username) and Smith as strPassword (in the textbox for password), then the above SQL statement would become:

SELECT * FROM Users WHERE User_Name = 'John' AND Password = 'Smith’;

If the tester would enter John’– as strUserName and no strPassword, then the SQL statement would become:

SELECT * FROM Users WHERE User_Name = 'John'-- AND Password = 'Smith’;

Note that the part of the SQL statement after John is turned into a comment. If there are any users with the username of John in the Users table, the application will allow the tester to log in as the user John. The tester can now view the private information of the user John.

What if the tester does not know the name of any existing user of the application? In this case, the tester can try common usernames like admin, administrator, and sysadmin.

If none of these users exists in the database, then the tester could enter John’ or ‘x’=’x as strUserName and Smith’ or ‘x’=’x  as strPassword. This would cause the SQL statement to become like the one below.

SELECT * FROM Users WHERE User_Name = 'John' or 'x'='x' AND Password = 'Smith’ or ‘x’=’x’;

Since ‘x’=’x’ condition is always true, the result set would consist of all the rows in the Users table. The application will allow the tester to log in as the first user in the Users table.

Important: The tester should request the database administrator or the developer to copy the table in question before attempting the following attacks.

If the tester would enter John’; DROP table users_details;’—as strUserName and anything as strPassword, then the SQL statement would be like the one below.

SELECT * FROM Users WHERE User_Name = ‘John’; DROP table users_details;’ –‘ AND Password = 'Smith';

This statement could cause the table “users_details” to be permanently deleted from the database.

Though the above examples deal with using the SQL injection technique only in the login page, the tester should test this technique on all the pages of the application that accept user input in textual format e.g. search pages, feedback pages, etc.

SQL injection might be possible in applications that use SSL. Even a firewall might not be able to protect the application against this technique.

I have tried to explain this attack technique in a simple form. I would like to re-iterate that this attack should be tested only in a test environment and not in the development environment, production environment or any other environment.

Instead of manually testing whether the application is vulnerable to SQL attack or not, one could use a Web Vulnerability Scanner that checks for this vulnerability.

Related reading: Security Testing of the Web Application. Check this for more details on different web vulnerabilities.

Vulnerable Parts of this Attack

Before starting the testing process, every sincere tester should more or less know which parts would be most vulnerable to this attack.

It is also a good practice to plan which field of the system is to be tested exactly and in what order. In my testing career, I have learned that it is not a good idea to test fields against SQL attacks randomly as some fields can be missed.

As this attack is being performed in the database, all data entry system parts, input fields, and website links are vulnerable.

Vulnerable parts include:

  • Login fields
  • Search fields
  • Comment fields
  • Any other data entry and saving fields
  • Website links

It is important to note that while testing against this attack, it is not enough to check only one or a few fields. It is quite common, that one field may be protected against SQL Injection, but then another does not. Therefore it is important not to forget to test all the website’s fields.

Automating SQL Injection Tests

As some tested systems or websites can be quite complicated and contain sensitive data, testing manually can be really difficult and it takes a lot of time too. Therefore testing against this attack with special tools can really be helpful at times.

One such SQL Injection tool is SOAP UI. If we have automated regression tests at the API level, then we can also switch checks against this attack using this tool. The SOAP UI tool already has code templates to check against this attack. These templates can also be supplemented by your own written code. It is quite a reliable tool.

However, a test should already be automated at the API level, which is not that easy. Another possible way to test automatically is by using various browser plugins.

It is worth mentioning, that even if automated tools save your time, they are not always considered to be very reliable. If you are testing a banking system or any website with very sensitive data, it is highly recommended to test it manually. You can see the exact results and analyze them. Also, in this case, we can be sure that nothing was skipped.

Comparison with Other Attacks

SQL Injection can be considered as one of the most serious attacks, as it influences the database and can cause serious damage to your data and the whole system.

For sure it can have more serious consequences than a Javascript Injection or HTML Injection, as both of them are performed on the client-side. For comparison, with this attack, you can have access to the whole database.

In order to test against this attack, you should have quite a good knowledge of SQL programming language and in general, you should know how database queries are working. Also while performing this injection attack, you should be more careful and observant, as any inaccuracy can be left as SQL vulnerabilities.

Conclusion

We hope you would have got a clear idea of what a SQL Injection is and how we should prevent these attacks.

However, it is highly recommended to test against this type of attack every time a system or website with a database is being tested. Any left database or system vulnerabilities can cost the company’s reputation as well as a lot of resources to restore the whole system.

As testing against this injection helps to find the most important security vulnerabilities, it is also recommended to invest your knowledge along with testing tools. If Security Testing is planned, then testing against SQL Injection should be planned as one of the first testing parts.

Have you come across any typical SQL Injections? Feel free to share your experiences in the comments section below.

Was this helpful?

Thanks for your feedback!

Recommended Reading

97 thoughts on “SQL Injection Testing Tutorial (Example and Prevention of SQL Injection Attack)”

  1. Hello Mr.Inder P Singh

    So according to you what should be the test cases for testing these two text fields.

    You told about allowing the special character under for password , that’s very true since all the bank forcefully suggest to keep the A/c password with some complex combination of chars, special chars & numbers.

    Because here the security issue is on top priority, so under these circumstances what should the various test cases and test plans.

    Regards,

    yogini
    (software test engineer)

    Reply
  2. I have been able to get the best PEN tester for my online business after so many other futile tries. He came at the right time too. They provide the best in vulnerability analysis and remote access of devices , their software and methods are up to date and i can testify that to you, the contact mail is in the username for those that need help..

    Reply
  3. very very use full order,but i am having some doubt…if any attempt Pass..then how the results are going to display…i mean results shall be display in front end?
    Any body pls clarify my doubt…Thanks in advance

    Reply
  4. Hi,
    I am new to this topic and very interested to learn it. Its really a good article for the beginner.
    To start with, how we will come to know if application is vulnerable to SQL attacks or not.

    Reply
  5. @Vlad,

    An error page NOT containing the SQL error is better than the one that does because it does not help the attacker with further information. However, such a design may not reduce the risk of SQL attacks; it may simply increase the time required for the attack. This post is about testing a web application with this attack technique but is not about ways to secure the application against this attack technique.

    Even though you have asked a simple question, I somehow get the feeling that you are quite knowledgeable about this vulnerability. If so, would you like to share some of your knowledge on this topic?

    Many thanks for your comment!
    Inder P Singh

    Reply
  6. it is very essential thing to every information technoloy professional to understand well this thing due to make his website secure.

    Reply
  7. Lovely article. Before going through this post I really had no idea about this vulnerability and how much it will be helpful in testing the applications that I will handle. Thanks to the author for writing it in such easy and picturesque form.

    Reply
  8. Hi everyone,
    my name is Naveen, i have 2 years exp in manual testing in windows application, recentle, i got an interview for web based testing, so they are asking me for paper presentaion on web based testing, so i request everyone, please send me the required documents to prepare for interview, my mail I D is naveen_mag@yahoo.com.

    Thanks and regards
    Naveen

    Reply
  9. This article is very much useful for the users who were interested to start sql injection. Thanks for this great work and keep going ..

    Reply
  10. Hi

    Recently i had start learning the concepts for this attack. The article provided above is excellent but can you please provide some more practicle so that i can be very clear with the same

    Reply
  11. Really, this article is very good to understand the concept of SQL attack. After reading the example of this attack, I got very clear about the concept
    Very nice article….Hope U would write more article with Examples..

    Reply
  12. Hi,
    “Software testing help” is highly helpful for me. I have a doubt, what will be the first deliverable from a tester side after getting the SRS of a project? whether integration test case or System test case or understanding document. As of now we are preparing a Understanding document then System test case for entire requirement. Please clear my doubt.

    Thanks & Regards
    Manohar

    Reply
  13. hi venkat,

    Suppose I have an e commerce web site.
    So if you want to buy something you have to login with your credentials and if the the data you are giving is existing the DB,then only you will access to the next page.
    Consider the name pooja is not in DB.So if i am giving the name as pooja,login should fail.
    In this case let us take the case that the developer is coded like if username=”pooja” then allow(I dont knw programming,i m just giving the algorthm).Here if when you are giving the name as pooja,eventhough the name is not existing in the DB,it will allow you to go to the next page,since it is hard coded.
    Here my question is as a tester how can we determine that the validation is really happening with the database and the name is not hard coded.
    Thanks
    pooja

    Reply
  14. Hi @Pooja,

    Code review (either manual or automated) is a good way to find the presence of hard-coded values (among other problems). Also, if you are familiar with the database design and can get access to the database, you may be able to find out the user information there.

    If you do not have any access to the application code or the database (in other words, you only have the website open in your browser), finding about hard coded user names may still be possible by noting the average times it takes to login with different user names. For example, if the username, Pooja, is hardcoded in the application it ought to log in faster than with another username, say Pooja1, which is present in the database. However, keep in mind that the success of this technique would depend on the assumption that most of the time in logging in is spent in validating the username and password. But, I think that it is worth a try.

    Inder P Singh

    Reply
  15. Hi
    I am not getting any proper Virtual server where i can check cross browser compatibility with MAC, since i dont have mac.

    Kindly give me suggestions
    Thanks
    Abhi

    Reply
  16. Excellent.

    But i have a doubt over here , if no error occurred in front end while pushing the sample data (‘ sign ) like as mentioned and saving the data as it is which is OK OR Single/Double quotes data should not save into the database ?

    Reply
  17. Can anyone please tell me the Sql attack for below scenario:-

    1. Enter URL and passing stored procedure or web service input parameters.
    2. Then it connects to the database and do authentication, authorization and validation
    3. That URL based on input parameters decides which takes to execute either SP or Web service.
    4. Then collects data and pass to the other system.

    Please help to test SQL attack.

    Your suggestion will be appreciated.

    Reply
  18. @Rajesh,

    There are many tools available to test this attack. Examples of such tools include web vulnerability scanners.
    Tips:
    1. It might be better to choose a new tool (that checks for exploits discovered recently.)
    2. You might want to use multiple tools that complement each other.
    3. Instead of limiting yourself to the capabilities of the available tools, you might want to supplement testing with manual testing for SQL attack.

    @Yogini,

    Testing for this attack would depend on the following:
    1. The flavor of SQL used by the application
    2. The kind of query the application uses on the log in page
    3. Results of the previous test

    Here are a few test ideas that are based on the examples given in the article:
    1. Check if entering an apostrophe character causes a SQL error in the application.
    2. Guess a common user name and enter it in the field of user name along with a string terminator and a comment character e.g. —
    3. Enter any user name along with a condition that is always true.

    I will explain more test ideas in a future article.

    Thank you both,
    Inder P Singh

    Reply
    • hey, this might help you

      1. Install dsniff to spoof the arp table
      2. Assume that Carol’s MAC address is the same as the one in ARP table gain from
      dsniff.
      3. Spoof the ip of Carol’s computer with our Kali ip.
      4. Enable ip forwarding. This is to allow incoming connection.
      5. Install bettercap
      6. Run bettercap and the module and enable ARP spoofing.
      7. The mac address should have changed now.
      8. Build a caplet file, to capture traffic.
      9. Now the attacker pc can now act as the middle man an intercept inbound and
      outbound connection. It is time for the attacker to get the https website and serve
      a http website to Carol.
      10.To downgrade https to http for Carol to browse, the attacker needs to
      downgrade https to http.
      11.Make a copy of the caplet file and set the net sniff local to true. E.g. “set
      net.sniff.local true”
      12.Load the caplet and this will spoof the connection to http.
      13.Now the hacker can serve the http website to Carol by forwarding the http
      connection to Carol’s pc.
      14.When Carol logged in into Zalada, we can obtain the username, password and
      email through traffic captured by bettercap.

      Reply
  19. Nice Article By Inder P Singh. I was aware of the Sql injection methodology but I was not sure about the implementation.. Thess Example are great releif for the Web and desktop application tester..

    Many Many thaks to Inder. Hope to hear from you soon on “URL Re-Writing”. This is another security threat for web based application.

    Reply
  20. Suppose I have an e commerce web site.
    can u explain in detail.
    i have an application which is having a login page.How can we determine that the login credentials are not hard coded and it is really checking with the database entries to allow the login.
    Please reply

    Reply
  21. Dear all,

    Am working as a tester in a small company.. Am just testing for past three months only about interface, nevigation, re-testing and functionality flow of the web-application. I like to know more about testing techniques used in web-application..Because am the only tester available in the company . so i want to know few more techniques to use in real time…Kindly provide me information

    Reply
  22. nice topic . i am a test trainee , i don’t any thing related to testing , how should i approach for learning testing , its so vast so many new things its interesting but also mixing . plz help me

    Reply
  23. very nice article i am working as SQA i am interested in learning testing skills and i recently heard about this attack and testing that is explained very clearly.
    thank you .“Software testing help” is highly helpful for me.
    If there is a proper code then it will be better.

    Reply
  24. @Ravishankar,

    Security testing deals with not only the senstivity of information (as the crucial personnel information mentioned by you), it also deals with the availability of information. Therefore, if you have a web application that does not have any sensitive information but allows an attacker to gain control of the application/ database using this vulnerability technique, the attacker could cause a denial of service to the users. This means that all web applications could be benefited from security testing using the SQL attack technique.

    Thanks for your comment!
    Inder P Singh

    Reply
  25. @Raja,

    Thank you for your question!

    You should try out various combinations of the username and the password as partial SQL expressions to see if your application is susceptible to SQL attack. Some examples are:
    1. Any name followed by an apostrophe
    2. admin followed by an apostrophe
    3. Username as John’ or ‘x’=’x and password as Smith’ or ‘x’=’x

    Happy testing!
    Inder P Singh

    Reply
  26. please anyone answer to below mentioned java script, which is a web site hacking script.

    How to handle this java script in DB.

    Thanks in advance……….

    Reply
  27. @Yogni,

    There are two reasons why the approach of disallowing any characters other than alphabets and numbers might not work:

    1. Some web applications allow users to create usernames containing other characters e.g. a user is allowed to use an email address as a username, a user might use a user name with an apostrophe like O Brien.

    Further, passwords with special characters are encouraged since the number of permutations of such passwords increases. This makes it more difficult for an attacker to guess a password.

    2. Even if characters other than alphabets and numbers are not allowed on client-side, the attacker might intercept the HTTP traffic between the browser and the server with the help of tools like TamperIE, Fiddler etc and insert the special characters that were prevented in the client-side validation.

    Hope this helps!
    Inder P Singh

    Reply
  28. hi,
    i have an application which is having a login page.How can we determine that the login credentials are not hard coded and it is really checking with the database entries to allow the login.
    Please reply

    Reply
  29. SQL injection is ignored testing part in most of the companies. But as developers don’t pay attention on database security. its testers responsibility to secure application against such attacks. Take this responsibility.

    Thanks for this article.

    Reply
  30. hi all,

    I am creating a web app scanner for my major project for 4th year B.E in CSE.I need help in finding the right tools and technologies for its implementation.Some one can help me….

    Reply
  31. Plz can u elaborate tis article..actually i m new to security n facing alot of problem,wer to start the testing.

    can anyone help regarding tis.

    Reply
  32. @Inder: If I understood correctly, if the application is set to trow an error page (something like “An error has ocurred. Please contact your admin”) it greatly reduces the risk of such attacks?

    Thanks,
    Vlad

    Reply
  33. hi to all,
    am testing a web application with database for security testing, its username and password is username = admin
    password = admin..can you tell me sql attack for this application?

    Reply
  34. Nice article!
    But I’m not agree with the first comment:

    “its testers responsibility to secure application against such attacks. Take this responsibility.”

    I think the correct way to say is:

    “Its testers responsability to run SQL attack testCases; the whole team must take the responsibility to secure application againts such attacks”

    Maybe is only a word puzzle, but as testers we need to emphasize that the Quality is matter of all the team, not only the testers

    Thanks!
    Poncho

    Reply
  35. @inder
    In one of ur previous posts you were talking abt attacking HTTP request before it reach to server, If i am not wrong this is CSS (Cross site Scripting) I used a tool Web Scrab to test the same where in i can stop the user entered parameters and i can pass my own parameters to the server. But during this process i faced a problem like we used HQL in the project where if i enter any invalid charecters then even though there is no validation but hibernate is throwing an Invalid Query exception. Is there any tools or mechanism where in i can break the HQL?

    Reply
  36. i Dont think this attack is neccessary as part of testing for all the web Applications.but it should be made part of test plan depending type of data it is dealing with say crucial personnel information which is high importance to the user say a gov website.In all usch cases it should be made part of testplan if needed

    Reply
  37. @Rajesh,

    That is a good question. Not one but many tools and web vulnerability scanners are available to test SQL attack. However, when using a tool or a scanner, it is best to complement the test with manual testing because the tool or scanner might have limited features available.

    Thanks,
    Inder P Singh

    Reply
  38. Hello, i have a question. Does anybody know how to do security testing on a web base application using QTP?. If so can you pls e-mail me or contact me. I really do need to know about the security testing and how i go about it. e-mail: kajohnson00@gmail.com

    Thanks

    Reply
  39. @Moesha,

    You are right. If any problem related to this vulnerability has been found in the application, it would make sense to have automated tests to check the same in other areas of the application as well as in future releases of the application. However, keep in mind that execution of some test cases would depend on the success of the prior test case(s).

    Thank you,
    Inder P Singh

    Reply
  40. Hello Vijay,

    But under testing, for e.g for login page

    If the user is not allowed to enter any character other than alphabets and numbers in username and password fields.

    Would it be enough to stop the SQL injection attack by putting validations on special chars, blank spaces and null values.

    Reply
  41. Can i know how can i use this attack when hibernate querying is used. As in HQL the query is dynamically generated and these specials characters are not allowed as there are validations to it.

    Reply
  42. Magic String:–The magic string is a simple string of SQL used primarily at login pages. The magic string is
    ‘OR”=’
    When used at a login page, you will be logged in as the user on top of the SQL table.

    Reply
  43. filtering blank characters and using prepared Statement would be a sufficient tools against SQL attacks
    For Extra Security , we may filter all SQL keywords such as : or ,delete ,and , select ,from , where etc
    PS: These security measures must be implemented at the server side , not the client side

    Reply
  44. Hi,
    I’ve a doubt. Please clarify.
    I’m testing a web application whose links connect to the developer database.

    When entering values with single quote into the input fields, a server error is returned, which gives some lines of code and stack trace.

    Is this correct? How should I proceed next?

    Please clarify.

    Thanks in advance.

    Reply
  45. Deepak,

    You should consider any one or more of Perl, Python or PHP programming languages to build your scanner. It would be well to be on the lookout for existing components that are available for you to use.

    Thanks,
    Inder P Singh

    Reply
  46. i am new to testing.This article is helpfull but i need still more information regarding SQL attack.Can i have your contact number.

    Reply
  47. very nice article i am working as SQA i am interested in learning testing skills and i recently heard about this attack and testing that is explained very clearly.
    thank you .

    Reply

Leave a Comment