April 5, 2021 Opener

An Example of Cross-Sire Scripting

Suppose a database back-end gives access to a database using a form that requests a user name and selects the rows to act uponbased on that. The back-end code is: 

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

If the user enters the name “anthony” in the UserId box, the query becomes 

SELECT * FROM Users WHERE UserId = anthony
and this selects all rows in the table Users with the UserID field being “admin”. So whatever action is taken based on this query will only use the information about the user “anthony”.

If the user enters the name “admin OR 1=1” in the UserId box, the query becomes 

SELECT * FROM Users WHERE UserId = admin OR 1=1
This is true for all rows, because if Userid is not “admin”, then “1=1” is true. So all rows are selected. And whatever action is taken based on this query will use information about all the users.

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: [email protected]
ECS 135, Computer Security
Version of April 4, 2021 at 10:23PM

 You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh