database security

Sql-Injection is a technique to inject (or execute) SQL commands within an application (database). It is mainly used to gain access to a databases content for which one has no authorization. The method injects SQL commands by providing input to a SQL statement which contains SQL meta-characters. Example statement: <strong>select * from user where username='input'</strong> SQL injected input:<strong>user' OR '1'='1</strong> The final statement:<strong>select * from user where username='user' OR '1'='1'</strong> Since 1 always equals 1, this statement would return all the users in the database! Depending on the SQL command, an attacker could insert, modify, extract and delete data in the database.