What Is SQL Injection and How to Stop It?

 

   

 SQL injection is a simple way to access data from exposed sites.

Example:

<body>
  <form action='HelloInjection'>

  <input type='text' name='emailAddress' value=''/>
  <input type='submit' value='Submit'/>
</form>
</body>

 

JavaScript to process the value

Function get_vaue(email){

String query= "select * from email_subscriptions where email_address = '" + email + "'";

}

The key part of this the query:

String query= "select * from email_subscriptions where email_address = '" + email + "'";

 

We can supply whatever we want to go between the quotes. This enables us to add more conditions to the where clause. To do this, just close the quotes. Then add our additional criteria. For example, if we submit the following:

' or 1='1

This query becomes:

select * from email_subscriptions where email_address = '' or 1='1'

 

Therefore this query returns all the email addresses stored in the table! The code loops through all the results, displaying them all.