SQL injection, as one of the most common web security vulnerabilities, is a code injection technique that aims to destroy your database. This occurs by inserting (i.e. injecting) malicious sql code into a sql query, typically via a web page input, which is then run by the application against the database.
Let us say we have a simple login form that asks the user to enter a uer name. The entered user name is then made sure to exist in
Users table in the database. If it does, the user is successfully logged in and greeted with a welcome message. Otherwise, the user is prompted again with the login form. The following is the main function that must validate the user: it returns
true if the username is found in the
Users table, false otherwise.
And here is the code that goes in the
And this is what goes in
This all of course is very naive, but it might seem to work fine. In fact, it would work fine under normal conditions but there is actually a big vulnerability that could be easily exploited by a malicious user. Try entering
name" OR "1"="1 in the user textbox in the login form. That will let you log in no matter what you put in place of
name. The reason is
name" OR "1"="1 will be the user name that gets direcly inserted in the sql query in
validateUser function resulting in the query:
SELECT * FROM Users WHERE name="name" OR "1"="1". Note that this query matches every single row in the
Users table leading the
validateUser function to return true no matter what to replace "name" with as long as
" OR "1"="1 is appended to it.
SQL injection is typically preventable easily by input sanitization:
Input Sanitization is the act of checking and modifying the user input (if needed) to prevent it from exploiting security holes.
It is certainly NOT a good idea to collect user input and insert it into a sql query (that gets executed against our database) without doing any sort of checks/validations on it. It is therefore sensible to make the following modification to
Note that we use
setString method to insert the user name into the query. The difference is that
setString sanitizes the input before inserting it into the sql query, preventing injection of harmful data.