0

Let's say I am inserting username and password in the database:

INSERT INTO Users (username, Password)
VALUES ('Eden', 'Eden123');

But if I insert a second order SQL injection it is supposed to be like this:

INSERT INTO Users (username, Password) 
VALUES ('Eden'--', 'Eden123');

And because the '--' the query is discarded so it will be:

INSERT INTO Users (username , Password) 
VALUES ('Eden'

This query is invalid, so my question is how does the query looks like when I want to insert a username Eden'-- and password Eden123?

Thanks!

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Eden Sharoni
  • 11
  • Possible duplicate of [How do I demonstrate a Second Order SQL Injection?](https://stackoverflow.com/questions/12952187/how-do-i-demonstrate-a-second-order-sql-injection) – Your Common Sense Oct 23 '19 at 18:27

1 Answers1

0

You have to escape all characters that break your query. Depending on the relational database and it's version it's different.

Just use parameters, it'll automatically escape it all for you.

Something like:

DECLARE @SQL NVARCHAR(1000)
SET @SQL = 'INSERT INTO Users (Username) VALUES(@VALUE)'
EXECUTE sp_executesql @SQL, N'@VALUE VARCHAR(10)', 'Username--'
Chris
  • 1,539
  • 13
  • 25