5a.8. Your customer database is secure!PROJECT: CHAOS sends the same POST request, with the SQL injection string in it... Hypertext Transfer Protocol POST /placeOrder.php HTTP/1.1 Request Method: POST Request URI: /placeOrder.php Request Version: HTTP/1.1 Host: www.headfirstlabs.com Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded phone=' || 'a' = 'a ...but this time, your new-and-improved PHP stops the attack. lookupCustomer.php Now lookupCustomer.php only returns a single customer, and isn't vulnerable to most SQL injection attaks.
SQL Injection is only the tip of the iceberg... we'll be back when you least expect it. PROJECT: CHAOS |