SQL Injection


When the program create SQL statement with some input, an sql injection attack can modify the SQL behavior by injecting (ie modify it) a piece of SQL in the input.


Below is an example of a SQL statement build with the help of an input.

"SELECT * FROM clients WHERE clientId = " + inputClientId;

if an attack gives as inputClientId, the value 10 or 1=1, the resulting SQL would be

SELECT * FROM clients WHERE clientId = 10 or 1=1;

which returns all clients.


To prevent SQL injection, you pass the input as parameters to the SQL. More … See SQL - Parameter (Bind | Substitution) (Marker | Variable)


  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Powered by ComboStrap