SQL Injection


SQL injection is a type of web application hacking technique by which an attacker that might access your database. By successful access to the database the attacker might read the stored data as well as insert the corrupt data. Also the attacker able to update , alter or delete the data in database.
SQL injection generally occurs when in any form submission ask for input like user name etc, if the user insert an SQL statement in that field that will run on your database.

If there is no prevention step are taken to enter "wrong" input from user, then the user be able to enter the input like -

XYZ OR 1=1

The above SQL is valid and will return ALL details from the table, since OR 1=1 is always TRUE.

You can use prepared statements,parameterized queries to solve this issue.These are SQL statements that are sent to and parsed by the database server separately from any parameters.
This way it is impossible for an attacker to inject malicious SQL.

No comments:

Post a Comment