I don't recall where, but I have read about running some code (Let's say, php code on a php based web application) on the server through SQL injection. Is that possible? If yes, how exactly?
I understand that un-escaped field can lead to SQL Injection and an attacker can execute SQL commands pf his choice directly on the server. But I think of running only SQL commands, not some arbitrary code. Am I wrong here?
Aucun commentaire:
Enregistrer un commentaire