Everything About SQL Injection

SQL Injection“, the terms itself refer to one kind of attack. When attackers execute malicious SQL statements affecting your website or any web application, it is termed out SQL Injection. This is one of the most old and dangerous way to affect your web property.

When applications use SQL queries to interact with database contain direct user input without performing any validation then there is a possibility for SQL Injection as the applications fail to distinguish between sql code and data values.

Example query for SQL Injection:

  1. SELECT username, password FROM users_table WHERE username = '" +
  2. userName + "' and password = '" + password + "'
  3. For example if user inputs ' or'1'='1 for both username and password
  4. fields in the above query then the interpreter will consider it as
  5. sql code instead of data and execute sql query as the input '
  6. or '1'='1 is always true.
  7. The above query changes as following which is a true condition,
  8. gets executed and allows the user to login with privileges of first
  9. user account in the DB which is usually of an administrator.
  10. SELECT username, password FROM users_table
  11. WHERE username = ''or '1'='1' and password = ''or '1'='1'

Read Full blog