What is SQL injection?

SQL injection allows a hacker to inject malicious SQL statement by exploiting improperly sanitized queries. It is by far one of the most common attack vectors, and was used in several famous exploits.

For example, let’s say we use user-submitted form data to check a user’s credentials:

sqlQuery = "
    SELECT * FROM users
    WHERE username='" + username + "'
    AND password='" + password + "'

Normally, that query would only return a user with a matching user name and password, but if the hacker uses an existing username (e.g. eric123), but injects SQL in the password field (e.g. ' OR '1'='1), then the query will be completely altered:

WHERE username='eric123'
AND password='' OR '1'='1'

This query would return the user’s record and the application would log the user in even though no password was supplied. By using semicolons, a user could even insert entirely new queries:

WHERE username='eric123'
AND password=''; DELETE FROM USERS WHERE '1'='1'

In the scenario above, all the hacker had to do was to use '; DELETE FROM USERS WHERE '1'='1 in the password field.

SQL injection can be prevented by using query parameterization.

One comment on “What is SQL injection?

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax