Sql injection is a very important aspect that a good hacker must be aware of .
A bad database design can be exploited by sql injection. Its like leaving a shop full of expensive goods without a good quality lock. One can easily break into it.
Suppose the database programmer has programmed databse in such a way that he retrieves the values like
"SELECT * FROM users WHERE name = '" + userName + "';"
Now the programmer thinks that whatever username the user enters will be appended in the query and the query is implemented accordingly. But what if i insert user name as
' or ' 1 ' = ' 1
The query becomes
"SELECT * FROM users WHERE name = '' or '1'='1';"
which gives any user access to the confidential area.
Any good code must be protected against sql injection
There are various methods to protect your code. One can use parameterized statements to give input to the sql instead of directly inputting the user specified value. If one uses ORM (object relational mapping) then that eliminates the need to write sql code...
Hope you will be able to secure your code against sql injection after reading this...
A bad database design can be exploited by sql injection. Its like leaving a shop full of expensive goods without a good quality lock. One can easily break into it.
Suppose the database programmer has programmed databse in such a way that he retrieves the values like
"SELECT * FROM users WHERE name = '" + userName + "';"
Now the programmer thinks that whatever username the user enters will be appended in the query and the query is implemented accordingly. But what if i insert user name as
' or ' 1 ' = ' 1
The query becomes
"SELECT * FROM users WHERE name = '' or '1'='1';"
which gives any user access to the confidential area.
Any good code must be protected against sql injection
There are various methods to protect your code. One can use parameterized statements to give input to the sql instead of directly inputting the user specified value. If one uses ORM (object relational mapping) then that eliminates the need to write sql code...
Hope you will be able to secure your code against sql injection after reading this...