What is SQL injection?

Question

What is SQL injection?

Possible duplicates:
XKCD sql injection - please explain
What is SQL injection?

I saw the term "SQL injection", but still do not understand. What is it?

0

sql sql-injection

ruchi Feb 07 '10 at 5:55

source share

3 answers

icktoofay · Answer 1 · 2010-02-07T06:01:04+0000

SQL injection is where someone inserts something malicious into one of your SQL queries.

Suppose you have an SQL query:

select * from people where name = '<name>' and password = '<password>'

Now suppose that <name>and <password>are replaced by someone on your web page. If someone typed this as their password ...

' or '' = '

... then the resulting query will look like this:

select * from people where name = 'someone' and password = '' or '' = ''

... which was clearly not your intention. You can read about it here .

Dan McGrath · Answer 2 · 2010-02-07T05:59:33+0000

SQL Injection - , , , , SQL.

Itay maman · Answer 3 · 2010-02-07T06:00:45+0000

SQL-, , . , " " , , .

, , , SQL-, , .

, :

String q = "Select * from books where name='" + bookName + "'"

Then the hacker can search for a book called "x'; delete from books where name like '%"

The end result will be the following query: Select * from books where name='x'; delete from books where name like '%'

This will delete all book table entries. The standard way to avoid this is to always use prepared instructions when building queries that include user-supplied snippets.

What is SQL injection?

More articles: