Everything About SQL Injection
“SQL Injection“, the terms itself refer to one kind of attack. When attackers execute malicious SQL statements affecting your website or any web application, it is termed out SQL Injection. This is one of the most old and dangerous way to affect your web property.
When applications use SQL queries to interact with database contain direct user input without performing any validation then there is a possibility for SQL Injection as the applications fail to distinguish between sql code and data values.
Example query for SQL Injection:
SELECT username, password FROM users_table WHERE username = '" +
userName + "' and password = '"
+ password + "'
For example if
user inputs ' or'1'='1 for
both username and
fields in the above query then the interpreter will consider it as
sql code instead of data and
execute sql query as
the input '
'1'='1 is always true.
The above query changes as
following which is a true condition,
gets executed and
allows the user to login with privileges of first
user account in the DB which is usually of an administrator.
SELECT username, password FROM users_table
WHERE username = ''or
password = ''or