Lesson Plan Title: Modify Data with SQL

Concept / Topic To Teach:
SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.

Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.

It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.

General Goal(s):
The form below allows a user to view salaries associated with a userid (from the table named salaries). This form is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to modify the salary for userid jsmith.

Solution:

In this lesson, instead of using the SELECT query command, we use the UPDATE command, which uses the format:
UPDATE table SET column=value WHERE column=value;

We need to update the table salaries, setting the salary column to a new number.
We will use the command:
UPDATE salaries SET salary=999999 WHERE userid='jsmith'

We also need to end the previous query and leave our last quote open to make a valid statment.
To complete this lesson, type the following into the field and press go:
whatever'; UPDATE salaries SET salary=999999 WHERE userid='jsmith

If you then search for the userid jsmith, you will see the salary has been updated.


Updated salary after using a MODIFY query.