What is SQL injection? [duplicate]

This question already has answers here: Closed 12 years ago.

Possible Duplicates:

XKCD sql injection - please expl开发者_如何学Pythonain

What is SQL injection?

I have seen the term "SQL injection" but still do not understand it. What is it?

---

SQL injection is where someone inserts something malicious into one of your SQL queries.

Let's assume that you have an SQL query like this:

select * from people where name = '<name>' and password = '<password>'

Now let's assume that <name> and <password> are replaced by something someone types on your webpage. If someone typed this as their password...

' or '' = '

...then the resulting query would be:

select * from people where name = 'someone' and password = '' or '' = ''

...which was clearly not your intent. You can read more about it here.

---

SQL Injection is where an attacker is able to manipulate the data they send you in a manner that fools your program to using some of it as SQL commands.

For examples you could visit here

---

When you build an SQL query it usually contain all sort of bits and fragments, some of which come from user input. For example, if you have a "Search Book" facility in your app, then the name of the book is a string coming from the user.

Smart, evil users can manipulate the inputs that they send to your app such that the SQL query built from this input will be harmful.

So if you build your query like this:

String q = "Select * from books where name='" + bookName + "'"

Then a hacker can search for a book called "x'; delete from books where name like '%"

The net result will be that the following query will be executed: Select * from books where name='x'; delete from books where name like '%'

This will delete all records of the book table. The standard way to avoid this is to always use prepared statements when building queries that include user-supplied pieces.