Injection flaws are a security vulnerability that allows a user to gain access to the backend database, shell command, or operating system call if the web app takes user input. Hackers append additional information within these input boxes and can create, read, update, or delete data. They may be able to append complete scripts into applications and can, therefore, execute such commands.
There are many types of injection flaws:
The following command can be added to access an account of a user using SQL Injection.
In the password column, type:
abc' OR 1==1 --
The backend SQL command is:
SELECT * FROM users WHERE email = \$email AND PASSWORD = sha256($password)
Here, when the user adds the value or email and password, the command becomes:
SELECT * FROM users WHERE email = email@example.com AND PASSWORD = sha256(abc') OR 1==1 -- )
Since the above command contains 1==1, which is always true, the system grants access to the email, .
There are many ways to protect against an Injection flaw:
<and similar characters should not be allowed.
'are allowed within names. Thus, these characters should be encoded before transmitting to the back end, e.g., John O’Leary must be transmitted as John O%27Leary if URL encoding is used. This would ensure that the database does not treat as an ending quote, but rather as a string. However, it is important to decode the string before it’s displayed on the screen.
//name String name = request.getParameter("name"); //validation String query = "SELECT account_balance FROM users WHERE username = ?"; PreparedStatement a = connection.prepareStatement(query); a.setString (1, name); a.executeQuery();
This automatically applies validation on usernames and prevents any invalid characters. The syntax also prevents hackers from gaining access to other unauthorized information.
View all Courses