Possible Duplicates:
What is the best way to avoid SQL injection attacks?
XKCD sql injection - please explain
SQL injection on INSERT
What is SQL injection?
I have been reading about SQL injection, but I am not able to understand it. Can anyone tell me the real issues about SQL injection?
SQL Injection happens when you user user input and string manipulation to construct a SQL Query. For Example, If you have something like
SELECT * FROM users WHERE user_name = '$1'
where $1 is replaced by user input, if the user inputs:
'; DROP TABLE users; --
Then the SQL You end up executing would be
SELECT * FROM users WHERE user_name = ''; DROP TABLE users; --'
Which is probably not something you want users to be able to do.
Regardless of the prevalence of SQL injection, you should still build your architecture and statements around the fact that it is possible for someone to use.
Prepared statements and other methods aren't that difficult and don't add that much development time instead of putting the user's input directly into the statement.
You can take a look in Wikipedia (SQL Injection) or on Joel On Software
Consider this example:
$query = "SELECT * FROM myTable WHERE name LIKE '%" + $search_term + "%'";
The user provides a search term that you search a table against. If the user inputs "; SELECT * FROM myTable" or worse yet, "; DELETE FROM myTable" you've got a serious problem.
The lesson is to make sure that all inputs are properly scrubbed (with HTML encoding, searching for special characters, etc.) before they go anywhere near a database query.
SQL injection is a form of attack where the attacker puts a SQL statement into a text field where it is unexpected.
E.g., What is your first name?
a'; SELECT * FROM secrets;
When the user's answer is executed on the server, the code will look like this:
SELECT * FROM users where fname = 'a'; SELECT * FROM secrets;
...The latter statement was not intended by the developer. This can be prevented by the use of parameterized queries.