I found this in one of our client’s logon audit tables (this client hosts NetTrax Web in-house):
A good example of why string building SQL is frowned upon and susceptible to SQL Injection.
In code, if authenticated the inputted user-id where the code simply concatenates the unscrubbed data directly into a string that builds the SQL statement, like this:
"SELECT Count(*) FROM users Where UserID = '" + UserIDInput + "'"
If the UserIDInput is (as one of the failed attempts in the log):
' or '1'='1
The resulting SQL would be:
SELECT Count(*) FROM users Where UserID = '' or '1'='1'
- This is a valid SQL statement.
- This will return the count of ALL users in the user table.
SQL parameterization example:
SELECT Count(*) FROM users Where UserID = @UserID
- The same input from above returns 0.