SQL injection is the means by which a user can pass malicious code to a database by injecting their own code into your SQL statement by passing part of an SQL statement to your query via an online form.
SQL injection is a technique for explaiting web applications that use client supplied data in SQL queries without stripping potentially harmful character first SQL injection occurs when an attacker is able to insert a series of SQL statements into query by manipulating data input into an application.
Example
- Enter first name kur'n and lastname Daud
so, Select id,firstname,lastname from author where firstname='kur'n' and lastname='daud'
it give error
2. Enter username ';drop table usertable
;colon terminate first query and drop table
3. username admin'--
4. username ór 1=1--
5. username únion select 1;'functional user and 'same password'',1--
here application believes that constant row that the attacker specified was part of the record set retrived from database.
SQL Injection Prevention
- using store procedure - use parameterized queries and SP
- protect SQL syntax- never allow client supplied data to modoify syntax of SQL statement and All SQL statements required by the application should be in SP and kept on database server
- Protect from your application level - protect it from application from by remove all char that could attempt any SQL injection
- combination approach- first you need to make sure that your SQL syntax is secure. second make sure that your application protect from any SQL character attempts. Finally make use of SP to update your database, and make sure that you define any restriction from your DBMS such as oracle and SQL server.