Let's say I have this SQL statement:
stmt.executeUpdate("INSERT INTO TUNEUSER (USERNAME,PASSWORD,BALANCE) VALUES ('"
+ daf.getString("username")
+ "','"
+ daf.getString("password")
+ "',0.00)");
and the application has a username and password field.
How can SQL injection be used to increased the balance from "0.00" to whatever you want?
No comments:
Post a Comment