SQL Injection Example

By Deane Barker on May 12, 2005

The Best of Both Worlds: This Daily WTF is about something else, but it includes this bit in the intro that will make you think about SQL injection attacks. Ponder this.

If you’ve ever worked with a database, chances are you know the difference between “dynamic queries” and “parameterized quires”. In the former, you just concatenate a value to your query string (“where col=’” val “’”) and cross your fingers that val isn’t “’; drop database —”.



  1. um, i don’t care if its drop database — or select password where root, that query would break as the variable ‘val’ is being compared to what the field is.

    what you need to be concerned with, is if they can add quotes to the val to make it:

    select * from table where col=’data OR ‘%”

Comments are closed. If you have something you really want to say, tweet @gadgetopia.