I'm testing SQL injection in my lab and need to combine two SQL queries using UNION to bypass authentication, so I would like to know if there is a way to set static values in second query, so that my JAVA code will check will only check for the user password I send as static password : The SQL Query should be like this :
SELECT * FROM users WHERE user = 'user1' UNION SELECT user AS
user1, password AS password FROM users ;'
My JAVA code reports an error :
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to
use near
First, eliminate the use of SELECT * to make sure both queries return the same number of columns. Then you can hard code your static values in the second query.
SELECT user, password
FROM users
WHERE user = 'user1'
UNION
SELECT 'user', 'password';
Using union
You must select the corresponding number type of column eg:
SELECT user, password
FROM users
WHERE user = 'user1'
UNION
SELECT 'user', 'password'
;
Related
I'm recently developing database api using java, vertx, gradle and mysql. I think I made a correct query but it shows me an error. Anybody knows the problem? Thanks in advance.
Query :
INSERT INTO USER VALUES('test#test.co.kr', 'test', 'password')
WHERE NOT EXISTS (SELECT * FROM USER WHERE email='test#test.co.kr')
Error :
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'IF NOT EXISTS (SELECT * FROM USER WHERE email='test#test.co.kr')' at line 1
I believe you should mention column names after INSERT INTO USER .
Something like this;
INSERT INTO USER (email, username, password)
VALUES('test#test.co.kr', 'test', 'password')
WHERE NOT EXISTS
(SELECT * FROM USER WHERE email='test#test.co.kr')
I think you should do it like this:
INSERT INTO USER
SELECT 'test#test.co.kr', 'test', 'password'
FROM DUAL
WHERE NOT EXISTS (SELECT 1 FROM USER WHERE email='test#test.co.kr')
So, i have a login form that gets Username and Password. The data for these are stored in a Postgre table i made called useraccounts.
Is there a way to send an error whenever a user inputs a duplicate data in the login form?
For example, if my useraccounts has
username || password
admin pass
guest password
admin pass
how do i just show an error that you cant log in,if you want to enter as admin?
I think you should use follow behavior.
Column "UserName" should have type citext. It give you a simple search.
Execute query
Select username from users where username='user name'
or
Select username from users where username=?
if you can use prepared statement.
Than you check a result of query execution. If ResultSet is not empty this mean that user with name "user name" already exist and you can provide error.
Hi I have the following query which is part of a java class. I just want to know what are the possible attacks possible with the SQL Injection. How an attacker can inject queries? What are sample queries in this case that can be used to gain access to the database?
String query = ("SELECT username, password, admin FROM users
WHERE " + "username='" + username + "' AND password='" +
password + "'");
ResultSet rs = st.executeQuery(query);
// Entry in the result set means the query was successful and
//the user is a valid user
if (rs.next()) {
username = rs.getString(1);
isAdmin = rs.getBoolean(3);
I think this is a possible way of attack also by putting username as abc';# since anything after # will be considered as a comment in SQL. What others think about it?
I want to know what the attacker will be entering in the username box and password box of the HTML page to gain access as an administrator. Assuming the job of the above java class is to process the request of the users's input from a HTML page by querying a database.
basically it works like this https://xkcd.com/327/
what I do is assuming, that everything a user inputs is a threat, so I would save everything to variables like usUsername, where "us" means unsafe.
After that I check every "us"-variable for injections, what results in sUsername (s means safe). So when I build a query I can only use s-varaibles and should be safe in most cases.
This idea is totally taken from here: http://www.joelonsoftware.com/articles/Wrong.html
Based on this code you could do ANYTHING you want by manipulating the values of the username or password text sent to the query.
The only constraint is the level of permission of the user account executing the query. If it was a sysadmin, you could delete everything. If it's SQL Server and xp_cmdshell is enabled, you could format the hard drive of the SQL server.
SQL Injection is one of those things where if you can do something you can pretty much do anything.
Look into the Havij tool, that is a security research tool that can demonstrate the power of SQLi.
You can not do that. username and password can be replaced by anything leading to all types of queries. You must use a prepared statement to provide username and password
Entering the following values for password would add a row to the result set containing the values 'admin', 'dummy', 1 for username, password, and admin, respectively:
' AND 1=0 UNION SELECT 'admin', 'dummy', admin FROM users WHERE admin = 1 AND '1'='1
The resulting query would look like:
SELECT username, password, admin FROM users
WHERE username='dummy' AND password='' AND 1=0 UNION SELECT 'admin', 'dummy', admin FROM users WHERE admin = 1 AND '1'='1'
The first SELECT would return no result as 1=0 is false for each record. But the second, injected SELECT would return all records where admin=1 is true and replaces the original values for username and password with admin and dummy, respectively.
You should use prepared statements and pass the values as parameters on execution.
I have a ClientsTable like that :
firstName lastName address idNumber userName password
| | | | |
david bowie here 123 mick jagger
chuck norris there 456 steven seagal
I want to get both the userName and the password of each row and verify it with the given parameters of my method :
public Person verifyClientExists(String username,String password) throws SQLException
{
ResultSet results = this.m_statement.executeQuery("SELECT `userName` FROM `ClientsTable`");
while (results.next() == true)
{
// here I want to compare the retrieved data from
// mysql with the "username" and "password" given in the prototype
}
return null;
}
But with my current query I can only get one field .
How can I retrieve two fields?
Why not use
select username, password from clientstable
? And then your ResultSet interrogation is:
String username = results.getString("username");
String password = results.getString("password");
See the JDBC tutorial page on ResultSets. Note that I ask for the results by column name. It's fractionally more robust than by asking for them by index (number). If I change the SQL statement (reorder query parameters) then the correct columns are still returned.
I hope you're not storing cleartext passwords in those tables, btw! See here for more info on hashing and salts.
Change your query to:
SELECT `userName`, `password` FROM `ClientsTable`
First, I would suggest using the APIs to build queries, and not execute raw queries (take a look here).
But to answer your question - if you want to get also the password use:
ResultSet results = this.m_statement.executeQuery("SELECT `userName`, `password` FROM `ClientsTable`");
alternatively, you can check the number of records from the result:
SELECT COUNT(*)
FROM `ClientsTable`
WHERE userName = 'userHere' AND
password = 'passHere'
the result here would be 0 and 1 only :) because I assume that the username is unique.
but if you want to retrieve the username and the password, just select the two columns in your query.
SELECT `userName`, `password`
FROM `ClientsTable`
You can ask for more fields like this: SELECT userName, password FROM ClientsTable
Then use resultSet.getString(1) for userName and resultSet.getString(2) for password
Change your sql to "SELECT userName ,password FROM ClientsTable
Now you can use the resultset object and fetch the values
results.getString(1)
results.getString(2)
or you can retrieve using the fieldName
results.getString("userName");
results.getString("password");
Your query is wrong. Your query should be like :-
SELECT EMP_NAME,EMP_PASSWORD FROM EMP_DETAILS TABLE;
Its quite simple to retrieve not only 2 field but also any number of field.
my question is how to insert values into DB in sql. i have a USER who can have multiple emails. how can i insert multiple emails into one object? i dont want to add a completely new user object into a new row. i just want to update and append new email into email field of an existing user in db.
i did this:
JPA.em().createQuery
("insert into User (email) select (email) from User where USERNAME=? VALUES (?)")
.setParameter(1, username).setParameter(2, email).executeUpdate();
but it is not working, thanks for help !!
Get the user from the database, concatenate its existing email with the new value, and save the user.
JPA uses entities and generates SQL queries for you. You tyically use queries only to get entities from the database. And those queries are JPQL queries, not SQL queries.
And it looks like your schema is not normalized correctly. One User entity should have many Email entities (OneToMany associations), rather than stuffing all the emails in a single CLOB field of the user. This is how you could search and get individual emails from the database, and get users without all their emails if you don't need them.
I don't know JPA but query should be
JPA.em().createQuery
("insert into User (email) select (email) from User where USERNAME=? VALUES (?)")
.setParameter(1, username).setParameter(2, email).executeUpdate();
should be
JPA.em().createQuery("UPDATE User
SET email =?
WHERE USERNAME=? ")
.setParameter(1,email )
.setParameter(2,username)
.executeUpdate();