| Article Index |
|---|
| Attacking Web Datastore |
| Page 2 |
| Page 3 |
| Page 4 |
| Page 5 |
| Page 6 |
| Page 7 |
| Page 8 |
| All Pages |
Page 8 of 8
SUMMARY
Successful SQL injection requires a simple methodology:
1. Generate a database error in the application through input validation
techniques.
2. Manipulate the invalid input until you can determine the structure of the
underlying SQL statement or find a combination of characters that execute
properly.
3. Gather information about the application’s database via SQL queries.
4. Gather information about the system via SQL queries.
You will spend most of the time on steps 1 and 2. Once you’ve determined the correct
format of the SQL injection, then you can execute SQL statements at will. The most
important thing is to be able to get through step 2. It’s all about walking through ticks,
semicolons, and dashes.
