What is SQL Injection

By: Emiley J. Emailed: 1645 times Printed: 2123 times    

Latest comments
By: rohit kumar - how this program is work
By: Kirti - Hi..thx for the hadoop in
By: Spijker - I have altered the code a
By: ali mohammed - why we use the java in ne
By: ali mohammed - why we use the java in ne
By: mizhelle - when I exported the data
By: raul - no output as well, i'm ge
By: Rajesh - thanx very much...
By: Suindu De - Suppose we are executing

SQL Injection is a method in which an attacker inserts malicious code into queries that run on your database. Have a look at this example:

<?php

$query = "SELECT login_id FROM users WHERE user='$user' AND pwd='$pw'";

mysql_query($query);

?>

Voilà! Anyone can log in as any user, using a query string like http://example.com/login.php?user=admin'%20OR%20(user='&pwd=')%20OR%20user=', which effectively calls the following statements:

<?php

$query = "SELECT login_id FROM users WHERE user='admin' OR (user = '' AND pwd='') OR user=''";

mysql_query($query);

?>

It’s even simpler with the URL http://example.com/login.php?user=admin'%23, which executes the query SELECT login_id FROM users WHERE user='admin'#' AND pwd=''. Note that the # marks the beginning of a comment in SQL.

Again, it’s a simple attack. Fortunately, it’s also easy to prevent. You can sanitize the input using the addslashes() function that adds a slash before every single quote ('), double quote ("), backslash (\), and NUL (\0). Other functions are available to sanitize input, such as strip_tags().

 


MySQL Home | All MySQL Tutorials | Latest MySQL Tutorials

Sponsored Links

If this tutorial doesn't answer your question, or you have a specific question, just ask an expert here. Post your question to get a direct answer.



Bookmark and Share

Comments(0)


Be the first one to add a comment

Your name (required):


Your email(required, will not be shown to the public):


Your sites URL (optional):


Your comments:



More Tutorials by Emiley J.
Error generating R.java from manifest
ERROR 1251: Client does not support authentication protocol requested by server; consider upgrading MySQL client
IIS and Tomcat - how to configure to work together
PHP Warning: Unknown(): Unable to load dynamic library '/usr/local/php4/lib/php/extensions/no-debug ......
Adding your own Application icon for your J2ME application (jar file)
Creating Menus in Code using VB.net
Traversing all files in a directory using Ruby
Using Proxy to connect to URLs in Ruby
POST a form in Ruby
Reading URL content using Ruby (HTTP)
dRuby client/server mode sample program
Benchmark module in Ruby
encoding and decoding in Ruby using Base64 Module
Module Abbrev in Ruby
Standard Library Packages in Ruby

More Tutorials in MySQL
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them.
ERROR 1251: Client does not support authentication protocol requested by server; consider upgrading MySQL client
Changing the Structure of an Existing Table in MySQL
Inserting Data into Tables in MySQL
Querying the Database in MySQL
Modifying data and using WHERE clause in MySQL
Deleting Data in MySQL
What is SQL Injection
MySQL Strengths and Weaknesses
Table __________ is marked as crashed and should be repaired.

More Latest News
Most Viewed Articles (in MySQL )
Table __________ is marked as crashed and should be repaired.
ERROR 1251: Client does not support authentication protocol requested by server; consider upgrading MySQL client
What is SQL Injection
MySQL Strengths and Weaknesses
Changing the Structure of an Existing Table in MySQL
Inserting Data into Tables in MySQL
Querying the Database in MySQL
Modifying data and using WHERE clause in MySQL
Deleting Data in MySQL
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them.
Most Emailed Articles (in MySQL)
ERROR 1251: Client does not support authentication protocol requested by server; consider upgrading MySQL client
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them.
Table __________ is marked as crashed and should be repaired.
Deleting Data in MySQL
What is SQL Injection
MySQL Strengths and Weaknesses
Changing the Structure of an Existing Table in MySQL
Querying the Database in MySQL
Modifying data and using WHERE clause in MySQL
Inserting Data into Tables in MySQL