Home
« ALT attributes for images
Get a new website - keep the old traffic »

SQL Injection


I found this excellent piece of art that made me smile…

In case you were wondering what SQL Injection means, it is a trick to inject SQL command as an input possibly via web pages.

As seen above, the kid’s name is Robert’);DROP Table STUDENTS;–

Now, if you run a login form that has a user name and a password, usually the sql query behind this login form looks like that:

SELECT * FROM STUDENTS WHERE NAME=’$name’ AND PASSWORD=’$password’

Now, if someone is trying to perform an SQL Injection attack, take Robert’s name and put it as $name, and the SQL query will look like that:

SELECT * FROM STUDENTS WHERE NAME=’Robert’);DROP Table STUDENTS;–‘ AND PASSWORD=’$password’

It is quite easy to protect your system from SQL Injection on the coding phase but usually web programmers tend to do a bad job regarding security.

I’ll write some more about this issue soon…


DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

Tags: ,

This entry was posted on Thursday, January 3rd, 2008 at 7:50 pm and is filed under fun, security, web application protection, web development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “SQL Injection”

  1. SQL Tutorials Says:
    May 1st, 2009 at 3:58 am

    You know, the thing about SQL is, that there is virtually nothing that can replace it.

    Does anyone know if a substitute exists for sql? I mean besides MS SQL and Oracle and all that jazz. Thanks.

  2. SQL Tutorials Says:
    May 1st, 2009 at 5:11 am

    Does anyone know if there is another language or set of commands beside SQL for talking with databases?

    I’m working on a project and am doing some research thanks

Leave a Reply