SQL-Injection

Preventing SQL-Injection in a Java application

Sql-Injection is a technique to inject (or execute) SQL commands within an application (database). It is mainly used to gain access to a databases content for which one has no authorization. The method injects SQL commands by providing input to a SQL statement which contains SQL meta-characters. Example statement: <strong>select * from user where username='input'</strong> SQL injected input:<strong>user' OR '1'='1</strong> The final statement:<strong>select * from user where username='user' OR '1'='1'</strong> Since 1 always equals 1, this statement would return all the users in the database! Depending on the SQL command, an attacker could insert, modify, extract and delete data in the database.
Subscribe to SQL-Injection