SQL Injection
Thursday, January 3rd, 2008I found this excellent piece of art that made me smile…
In case you were wondering what SQL Injection means, it is a trick to inject SQL command as an input possibly via web pages.
As seen above, the kid’s name is Robert’);DROP Table STUDENTS;–
Now, if you run a login form that has a user name and a password, usually the sql query behind this login form looks like that:
SELECT * FROM STUDENTS WHERE NAME=’$name’ AND PASSWORD=’$password’
Now, if someone is trying to perform an SQL Injection attack, take Robert’s name and put it as $name, and the SQL query will look like that:
SELECT * FROM STUDENTS WHERE NAME=’Robert’);DROP Table STUDENTS;–‘ AND PASSWORD=’$password’
It is quite easy to protect your system from SQL Injection on the coding phase but usually web programmers tend to do a bad job regarding security.
I’ll write some more about this issue soon…
