I don't recall where, but I have read about running some code (e.g. PHP code on a PHP-based web application) on the server through SQL injection. Is it possible? If yes, how exactly?
I understand that un-escaped field can lead to SQL injection and an attacker can execute SQL commands of his choice directly on the server. But I think of running only SQL commands, not some arbitrary code. Am I wrong here?
Aucun commentaire:
Enregistrer un commentaire