Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/aswinbarath/sql-injection-and-prevention

Demonstrates SQL injection attacks using malicious SQL queries and SQL prevention techniques.
https://github.com/aswinbarath/sql-injection-and-prevention

bootstrap4 css3 html5 javascript mariadb-database php

Last synced: about 4 hours ago
JSON representation

Demonstrates SQL injection attacks using malicious SQL queries and SQL prevention techniques.

Awesome Lists containing this project

README 

        
# SQL Injection and Prevention







sql-injection-and-prevention






Demonstrates SQL injection attacks using malicious SQL queries and SQL prevention techniques.



[Deployed project link](https://sql-injection-and-prevention.herokuapp.com/)



---



## Table of content



- [Demo](#Demo)

  - [SQL Injection Demo](#SQL-Injection-Demo)

  - [Navbar Demo](#Navbar-Demo)

- [What's unique in this Project](#whats-unique-in-this-project)

- [What's SQL Injection](#whats-sql-injection)

- [Technologies](#Technologies)

- [Installation](#Installation)

- [Contributors](#Contributors)



---



## Demo



### SQL Injection Demo



- In this demo, the Database Schema is displayed first

- Later, 4 sets of Login credentials are tested:

	1. Correct credentials present in the user database

	2. Wrong credentials to show the failure message

	3. First SQL Injection example is demonstrated

	4. Later the Second SQL Injection example is demonstrated





SQL Injection




### Navbar Demo



- In this demo, the Navigation bar is demonstrated



SQL Injection




---



## What's unique in this Project



- The project is deployed as Microservices of Front-end, Server, and Database using Heroku Cloud Platfrom

- Demostrates SQL Injection in an elegant way using **LAMP** stack

- Follows best practices and code readability 



---



## What's SQL Injection



- SQL injection is an attack used to take over database servers by dynamically poisoning SQL queries.

	- SQL injection is a cybersecurity vulnerability where attackers input malicious SQL (Structured Query Language) code into a web application's input fields.

	- If the application doesn't properly validate or sanitize the input, it can execute unintended database commands.

	- This can lead to unauthorized access, data theft, or manipulation of the database.

- To prevent SQL injection, developers should use parameterized queries or prepared statements and validate user inputs.

	- Security measures like input validation and output encoding are crucial to mitigate this risk.

- In this attack, a special SQL query is passed as user input to the login page.

	- Later, when the backend code compiles the input along with the SQL query.

	- The code then gets hijacked because these queries will change the meaning of the backend code.

- The SQL injection queries used for this demonstration project are: `' or 1=1--`

	- This query will change all the SQL statements to always be true because of the or keyword.

	- And the rest of the SQL statement after `'--'` will be commented. `admin' or '1'='1`

- This query will change all the SQL statements and will also always be true. Because of the `or` keyword, the two expressions produce true values.



---



## Technologies



### Front End



- [HTML5](https://html.com/)

- [CSS3](https://www.w3.org/Style/CSS/Overview.en.html)

- [Bootstrap4](https://getbootstrap.com/)

- [JavaScript](https://www.javascript.com/)



### Back End



- [XAMPP](https://www.apachefriends.org/download.html)

    - [Apache HTTP Server](https://httpd.apache.org/)

    - [MariaDB database](https://mariadb.com/)

    - [PHP](https://www.php.net/)



---



## Installation

To get the project working, you need to install the following dependencies.

1. [XAMPP Control Panel](https://www.apachefriends.org/download.html)

2. [Heroku CLI](https://devcenter.heroku.com/articles/heroku-cli)



---



## Contributors



- T Aswin Barath 



---



**[⬆ Back to Top](#Table-of-content)**