-
-
Notifications
You must be signed in to change notification settings - Fork 5
SQL Injection Tests
postmodern edited this page Sep 14, 2010
·
11 revisions
- Append
--to the query param:- If the response does not change, the query param might be used in an SQL statement.
- Append
',"or`to the query param:- If the response lacks data or contains an SQL Error message, the query param is being used in an SQL statement.
- Pre-append
--to the query param:- If the response does not change, filtering may be removing
-characters.
- If the response does not change, filtering may be removing
- Append
0to the numeric query param:- If the response does not change, filtering may be removing
0characters.
- If the response does not change, filtering may be removing
- Pre-append and append punctuation characters:
- If the response does not change, filtering may be removing punctuation characters.
- Pre-append
0to the numeric query param:- If the response does not change, the query param is being treated as an integer.
- Pre-append
-to the numeric query param:- If the response does change, the the query param is being treated as an integer.
- Pre-append
+to the numeric query param:- If the response does not change, the query param is being treated as an integer.
- Divide the numeric query param by 2 and append
*2:- If the response does not change, the query param is being treated as an integer.
- Add 1 to the numeric query param and append
-1:- If the response does not change, the query param is being treated as an integer.