Difference between revisions of "Talk:OWASP Testing Guide v2 Table of Contents"

From OWASP
Jump to: navigation, search
(added to wrong discussion page, should be on AJAX testing discussion board)
Line 1: Line 1:
I believe that publishing this SQL injection as a test method is extremely dangerous. While professional testers know not to drop tables from databases, inexperienced testers or malicious users could attempt this on sites with potentially disastrous effects.
 
  
<pre>
 
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
 
</pre>
 
 
I would recommend using a more benign SQL injection example, such as:
 
 
<pre>
 
SELECT id FROM users WHERE name=''or+1=1--' AND pass='';
 
</pre>
 
 
This isn't the best example either as it may allow someone to log into a site, but it's better than dropping the users table.  Then again, all SQL injection is dangerous.
 

Revision as of 15:15, 11 January 2007