Jump to content

SQL injection

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 80.138.242.167 (talk) at 22:51, 14 March 2004. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

SQL Injection is a security vulnerability that occurs in the database layer of an application. It's source is the incorrect escaping of variables embedded in SQL statements.

Assuming the following code is embedded in the application, and a parameter "userName" that contains the user's name is given, SQL Injection is possible: 

statement := "SELECT * FROM users WHERE name = '" + userName + "';"

If supplied with "a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%" as "userName", the following SQL statement would be generated: 

SELECT * FROM users WHERE name = 'a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%';

The database would execute the statement in ordner, selecting data, dropping (deleting) the "users" table and selecting data that maybe was not meant to be displayed to web users. In essence, any data in the database available to the user connecting to the database could be read and/or modified.

SQL Injection is easy to work around with in most programming languages that target web applications or offer functionality. In the Java programming language, the PreparedStatement class should used.

Instead of 

Connection con = (acquire Connection)
Statement stmt = con.createStatement();
ResultSet rset = stmt.executeQuery("SELECT * FROM users WHERE name = '" + userName + "';");

use the following 

Connection con = (acquire Connection)
PreparedStatement pstmt = con.prepareStatement("SELECT * FROM users WHERE name = ?");
pstmt.setString(1, userName);
ResultSet rset = stmt.executeQuery();
Retrieved from "https://en.wikipedia.org/w/index.php?title=SQL_injection&oldid=2767038"