Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
SQL injection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Root cause== {{Norefs|section|date=March 2025}} SQL Injection is a common security vulnerability that arises from letting attacker supplied data become SQL code. This happens when programmers assemble SQL queries either by string interpolation or by concatenating SQL commands with user supplied data. Therefore, injection relies on the fact that SQL statements consist of both data used by the SQL statement and commands that control how the SQL statement is executed. For example, in the SQL statement <syntaxhighlight lang="sql" inline>select * from person where name = 'susan' and age = 2</syntaxhighlight> the string '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' is data and the fragment <syntaxhighlight lang="sql" inline>and age = 2</syntaxhighlight> is an example of a command (the value <syntaxhighlight lang="sql" inline>2</syntaxhighlight> is also data in this example). SQL injection occurs when specially crafted user input is processed by the receiving program in a way that allows the input to exit a data context and enter a command context. This allows the attacker to alter the structure of the SQL statement which is executed. As a simple example, imagine that the data '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' in the above statement was provided by user input. The user entered the string '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' (without the apostrophes) in a web form text entry field, and the program used [[string concatenation]] statements to form the above SQL statement from the three fragments <syntaxhighlight lang="sql" inline>select * from person where name='</syntaxhighlight>, the user input of '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>', and <syntaxhighlight lang="sql" inline>' and age = 2</syntaxhighlight>. Now imagine that instead of entering '<syntaxhighlight lang="sql" inline>susan</syntaxhighlight>' the attacker entered <syntaxhighlight lang="sql" inline>' or 1=1; --</syntaxhighlight>. The program will use the same string concatenation approach with the 3 fragments of <syntaxhighlight lang="sql" inline>select * from person where name='</syntaxhighlight>, the user input of <syntaxhighlight lang="sql" inline>' or 1=1; --</syntaxhighlight>, and <syntaxhighlight lang="sql" inline>' and age = 2</syntaxhighlight> and construct the statement <syntaxhighlight lang="sql" inline>select * from person where name='' or 1=1; --' and age = 2</syntaxhighlight>. Many databases will ignore the text after the '--' string as this denotes a comment. The structure of the SQL command is now <syntaxhighlight lang="sql" inline>select * from person where name='' or 1=1;</syntaxhighlight> and this will select all person rows rather than just those named 'susan' whose age is 2. The attacker has managed to craft a data string which exits the data context and entered a command context.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)