As i had some experience with ASP.net and MSSQL, i know how it overcomes injection problem as we pass parameters into it to solve the injection problem in ADO.net. I also have a doubt how my Drupal CMS handles SQL injection in its DBs
If we login as in the above process the query will be in the form of
SELECT uid FROM users WHERE name=“Admin” OR uid=1 OR “1”=“1” AND password=“xxxxxxxxx”
The sql query runs in the above format if we login through the admin previlages.
But drupal actuallly provides built in sql injection attack prevention
db_query family of functions will take care of escaping user input for you as long as you pass them as parameters to the function and don't include them as part of your SQL statement.It is not possible to inject arbitrary SQL.
Drupal provides functions to process URLs and SQL arguments, making security for users.Drupal7 have more complex code to overcome regard insecure database..
Hi Ugesh, Fantastic and Marvellous...keep it up man
ReplyDelete