Tuesday, May 15, 2012

About SQL Injection

SQL injection is the means by which a user can pass malicious code to a database by injecting their own code into your SQL statement by passing part of an SQL statement to your query via an online form.

SQL injection is a technique for explaiting web applications that use client supplied data in SQL queries without stripping potentially harmful character first SQL injection occurs when an attacker is able to insert a series of SQL statements into query by manipulating data input into an application.

Example
  1. Enter first name kur'n and lastname Daud
so, Select id,firstname,lastname from author where firstname='kur'n' and lastname='daud'
it give error

2. Enter username ';drop table usertable
;colon terminate first query and drop table

3. username admin'--
4. username ór 1=1--
5. username únion select 1;'functional user and 'same password'',1--
here application believes that constant row that the attacker specified was part of the record set retrived from database.

SQL Injection Prevention
  1. using store procedure - use parameterized queries and SP
  2. protect SQL syntax- never allow client supplied data to modoify syntax of SQL statement and All SQL statements required by the application should be in SP and kept on database server
  3. Protect from your application level - protect it from application from by remove all char that could attempt any SQL injection
  4. combination approach- first you need to make sure that your SQL syntax is secure. second make sure that your application protect from any SQL character attempts. Finally make use of SP to update your database, and make sure that you define any restriction from your DBMS such as oracle and SQL server.
Posted by at No comments:
Labels:

Database Testing Checklist

Folks,

Keep following points in mind when doing database testing. hope this will helpfull.
  1. Field size validation
  2. Check constraints
  3. Indexes are done or not (for performance related issues)
  4. Store procedure
  5. Field size defined in the application is matching with that in database
  6. Events like insert, update, delete
  7. Data integrity, data validity and data manipulation and update
Posted by at 4 comments:
Labels: ,

Tuesday, May 8, 2012

Difference between Delete and Truncate and count

Difference between Delete and Truncate
if we use truncate table then we can reuse storage. all memory is free for other operation not wait for any cleanup operation in truncate while in delete the memory is not available for further use.

Difference between count() and count(*)
In count(*) include duplicate null values while in count() not include null value
Posted by at No comments:
Labels: ,

Wednesday, May 2, 2012

QTP-How to create and delete folder on path

vb script create 5 folders test1 test2 test3 test4 test5

set fso=createobject("scripting.filesystemobject")
for i=1 to 5
fso.createfolder "C:\test" &i
next

vb script to delete folder test1,test2, test3,test4 and test5
dim vfso
set vfso=createobject("scripting.filesystemobject")
for i=1 to 5
vfso.deletefolder "C:\test" &i
next
Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)