SQL Tutorial => simple injection sample

Example

If the SQL statement is constructed like this:

SQL = "SELECT * FROM Users WHERE username = '" + user + "' AND password ='" + pw + "'";
db.execute(SQL);

Then a hacker could retrieve your data by giving a password like pw' or '1'='1; the resulting SQL statement will be:

SELECT * FROM Users WHERE username = 'somebody' AND password ='pw' or '1'='1'

This one will pass the password check for all rows in the Users table because '1'='1' is always true.

To prevent this, use SQL parameters:

SQL = "SELECT * FROM Users WHERE username = ? AND password = ?";
db.execute(SQL, [user, pw]);

PDF - Download SQL for free

Previous Next