Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> sql server security article at dbazine.com
http://www.dbazine.com/cook8.html
<quote>The user entered the following string and was authorized:
' or 1=1--
By placing a partial SQL statement into the Username textbox, a hacker "injects" the SQL fragment and thus alters the SQL statement that is executed. The injected SQL fragment actually consists of three different fragments, each with a different purpose</quote>
Amaising. Web application design that doesn't bother creating a user as a database user and grant proivileges, but just adds a user record into a table. Received on Thu May 22 2003 - 19:53:06 CDT