as part of secure code course given vulnerable java system, queries built using string concatintion, , on. following respective code line have sql inject retrieve log-in data:
string comment; int articleid; //... stmt.executeupdate("insert comment (text, article_id) values ('" + comment + "', " + articleid + ")"); comment can set text, read plain-text textbox. therefore, thought setting textbox text select statement, reading complete login data (table user has columns login , password):
' || (select login || password user) || ' which in overall should result in query
insert comment (text, article_id) values ('' || (select login || password user) || '', 4) yet, results in
org.hsqldb.hsqlexception: cardinality violation
question:
i assume because (select login || password user) not single string, result set, , may therefore not concatenated using ||.
is possible convert complete result set 1 string in way can used in sql injection scenario (in standard sql / sql works on hsqldb)?
you correct, there more 1 user , multiple rows returned select.
you can add limit 1 select first row. can create string array inner select. see guide.
in hsqldb each database user has separate access rights tables. in real deployment user inserts comments not see existence of table contains password, let alone select it.
Comments
Post a Comment