More Demos

Web SQL Database Client-side SQL Injection Example

In this example a database named 'tweet_db' is created locally and the most recent tweets from my twitter account are stored in it.

There is an option to insert new tweets to the database by entering the Status ID of the tweet and then clicking on one of the two buttons.

Button 1: Inserts the tweet using a concatenation based SQL Query that is vulnerable to SQL Injection.
Button 2: Inserts the tweet using a Parameterized SQL Query that is safe against SQL Injection.

To demonstrate the SQL Injection attack, a special Tweet with attack payload is available with Status ID - 15878093528
Insert this special tweet using both the methods and see how the 'Insecure insert' makes this look like a tweet from Bill Gates.

Note:This example is vulnerable to Cross-site Scripting. Output encoding has been omitted to maintain clarity of code. To prevent XSS refer the Secure XSS demo.

Demo

Insert a Tweet by entering the Status ID of the tweet :
Based on the Web SQL Database demo by Remy Sharp