SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement.
This results in the potential manipulation of the statements performed on the database by the end-user of the application.
The following line of code illustrates this vulnerability: This SQL code is designed to pull up the records of the specified username from its table of users.
However, if the "user Name" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended.
For example, setting the "user Name" variable as: If this code were to be used in an authentication procedure then this example could be used to force the selection of every data field (*) from all users rather than from one specific user name as the coder intended, because the evaluation of '1'='1' is always true (short-circuit evaluation).
The following value of "user Name" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "userinfo" table (in essence revealing the information of every user), using an API that allows multiple statements: function do not allow this for security reasons.
This prevents attackers from injecting entirely separate queries, but doesn't stop them from modifying queries.
This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints.
This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric.
For example: It is clear from this statement that the author intended a_variable to be a number correlating to the "id" field.
However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters.