SQL Injection

Posted on January 3, 2008 by yair

I found this excellent piece of art that made me smile…

In case you were wondering what SQL Injection means, it is a trick to inject SQL command as an input possibly via web pages.

As seen above, the kid’s name is Robert’);DROP Table STUDENTS;–

Now, if you run a login form that has a user name and a password, usually the sql query behind this login form looks like that:

SELECT * FROM STUDENTS WHERE NAME=’$name’ AND PASSWORD=’$password’

Now, if someone is trying to perform an SQL Injection attack, take Robert’s name and put it as $name, and the SQL query will look like that:

SELECT * FROM STUDENTS WHERE NAME=’Robert’);DROP Table STUDENTS;–‘ AND PASSWORD=’$password’

It is quite easy to protect your system from SQL Injection on the coding phase but usually web programmers tend to do a bad job regarding security.

I’ll write some more about this issue soon…

This entry was posted in fun, security, web application protection, web development and tagged , . Bookmark the permalink.

2 Responses to SQL Injection

  1. SQL Tutorials says:
    May 1, 2009 at 3:58 am

    You know, the thing about SQL is, that there is virtually nothing that can replace it.

    Does anyone know if a substitute exists for sql? I mean besides MS SQL and Oracle and all that jazz. Thanks.

    Reply
  2. SQL Tutorials says:
    May 1, 2009 at 5:11 am

    Does anyone know if there is another language or set of commands beside SQL for talking with databases?

    I’m working on a project and am doing some research thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>