Open in app

Sign in

Write

Sign in

Home

Following

Library

Stories

Stats

Member-only story

Sql injection using Parameters (P-DB-b-1)

Imran Niaz
5 min readJul 9, 2023

Using Sql for testing db is much batter almost every one know about it how to use in basic way. all know there are many ways that we can test sql injection . My name is Imran a person who always try to find loop hole in web application maybe your app will be next.

Version 0.02 :

This is basic Version but you will get much batter understanding of SQL injection and Sql Other scripts.

in Future we will see using other tools with Sqlmap fro batter results

To we will see how can we use Sqlmap to find sql injection in public server. and also try to make our own web application that will be a good target to find app. wit hour app we will see how can we use Sql injection in protected web application.

Mothed will are going to fallow in this one that will be Parameters that is one of best way

async function get_comment(req, res) {
  try {
    let comment_id = req.query.id;
    
    // Validate comment_id to ensure it is a non-empty string or a positive integer
    if (!comment_id || isNaN(comment_id) || parseInt(comment_id) <= 0) {
      res.status(400).send('Invalid comment ID');
      return;
    }
    
    // Use parameterized query to prevent SQL injection
    let sql_query = "SELECT * FROM comments WHERE id = ?";
    let comment = await db.execute_query(sql_query, [comment_id]);
    
    // Check if comment exists
    if (comment.length === 0) {
      res.status(404).send('Comment not found');
      return;
    }
    
    let html = template.render(comment);
    res.html(html);
  } catch (error) {
    console.error(error);
    res.status(500).send('Internal Server Error');
  }
}

For Parameter Testing :

Parameters testing on of best way to test SQL injection.Reason Patameter testing can help you to ideintyfy the diffrent issue like SQL injection , XSS , html injection.

const { expect } = require('chai');

describe('get_comment', () => {
  it('should return the comment HTML when a valid comment ID is provided', async () => {
    const req = { query: { id: '123' } };
    const res = {
      html: (html) => {
        expect(html).to.be.a('string');
        // Add additional assertions as needed
      },
      status: () => res,
      send: () => res,
    };

    await get_comment(req, res);
  });

  it('should return a 400 Bad Request when an invalid comment ID is provided', async () => {
    const req…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app
Or, continue in mobile web

Already have an account? Sign in

Imran Niaz
Imran Niaz

Written by Imran Niaz

633 Followers
8 Following

I hope you all are well. My name is Imran Niaz. I like to see such things related to technology and global politics. They are changing the society ..

No responses yet

Write a response

What are your thoughts?

More from Imran Niaz

See all from Imran Niaz

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech