SQL (?) injection

• Many embedded apps don't use a SQL db

• • SQLite, file based db being used more
  • Depending on how data is stored, similar techniques could be used

• Abuses SQL queries with crafted data from form variables:

• • SELECT id FROM users WHERE name='$name' AND pass='$pass'
  • if $pass is: ' OR 1=1 --
  • query becomes:
  • SELECT id FROM users WHERE name='$name' AND pass='' OR 1=1 --'