SQLite - SPLessons

SQLite Injection

Chapter 20

SPLessons 5 Steps, 3 Clicks
5 Steps - 3 Clicks

SQLite Injection

SQLite Injection

shape Description

SQLite Injection is Relational Database Management System that is composed in C dialect for adjusting the height and width of the implanted frameworks like ANDROID and GPS. For performing all the executions or operations doesn’t require any special servers. The complete setup will be provided in the SQLite setup by default.

Injection mostly defines while approaching a client for information, similar to their names, and rather than the names in the SQLite proclamation that will definitely keep running in the database. Client provided details should be validate first by performing some matching patterns inside the database.

shape Syntax

if (preg_match(“/^\w{8,20}$/”,$_GET[‘username’],$matches)){
$db=new SQLiteDatabase(‘filename’);
$result=@$db->query(“SELECT * FROM users WHERE username=$matches[0]”);
}else{
echo “username not accepted”;
}

In the above syntax structure, the client_name is limited to underscore and alphanumerical scorches and contain length 8-20 characters. 

shape Examples

For understanding this kind of situations, consider the following example:

$name="Qadir';DELETE FROM users;";
@$db->query("SELECT * FROM users WHERE username='{$name}'");

In the above example, actually the function should acquire a result set from the client table and the column name should be same as the names determine by the user, $name should contains perhaps spaces and alphanumeric characters and alias name too. If not all the records from the client will be deleted from the injected query.

SQLite injection prevention

shape Description

In cartography dialects like PHP and PERL, these SQLite injection cleverly controls this departures characters. The PHP programming dialects gives the utilitarian string SQLite_escape_string() to control the character inputs that are some kind of particular string characters to SQLite.

shape Syntax

if(get_magic_quotes_gpc())
{
$name=SQLite_escpae_string($name);
}
$result=@$db->query(“SELECT * FROM users WHERE username='{$name}'”);

For embedding the information the above syntax is exceptionally helpful for encoding the queries that are executed in like clauses statement and basic content characters and usually contain binary coded data variables.

Summary

shape Key Points

  • Injection – Is a relational database managment systems that are composed in ‘C’ language.
  • SQLite injection prevention – Controls the departures characters.