I'm trying to show a demo on SQL injection but doesn't seem to work. I have tried to truncate a table named demo with this: "SELECT * FROM products WHERE booktitle like '%'Songs'; TRUNCATE TABLE demo --%'"
but is not working.
I'm using MySQL with Nodejs and here is the code:
app.post("/api/productsearch", (req, res) => {
db.query(`SELECT * FROM products WHERE booktitle like '%${req.body.searchData.booktitle}%'`, (err, result) => {
if (err) {
console.log(err);
} else {
res.json(result);
}
}
)
})
How do I do a SQL injection on the productsearch api? Many thanks in advance and greatly appreciate any helps. Thanks
If you enter booktitle
as '; TRUNCATE TABLE demo --
, then the resulting SQL statement is
SELECT * FROM products WHERE booktitle like '%'; TRUNCATE TABLE demo -- %'