SQL and Injection Attacks

This is intended to take place interactively with the instructor observing and helping as needed.

First, become familiar with basic SQL query elements

Use this online SQL interpreter: https://www.w3schools.com/sql/trysql.asp?filename=trysql_asc

  1. Look at the databases
  2. Try a “Where” clause to select one row
  3. Try “Where” to select multiple rows
  4. Try “Where” that is always true

Part 2: Experiment with SQL injection

Follow the example on this web page: https://www.codingame.com/playgrounds/154/sql-injection-demo/sql-injection

Try logging in with both the actual password and with the bogus injection statement.

I find it’s easiest to have a text editor nearby and open. Construct your SQL injection in the text editor and then paste it into the password field. Try different “true” expressions.