How to avoid SQL Injection

What is SQL Injection:

SQL injection is a technique in which an attacker try to alter the backend sql statement through your application's input. Like he/she can enter such statments in your application's input (i.e. Text box) which can alter the sql statement at your backend.


SQL injection can be explained with the help of the following example:

Suppose you have following:

A Login Page

A User table in your database.

Your application can be accessed only after entering the user name and password in the input of your login page.

Suppose there is only one user called "test" and its password is "test".

User will enter the above mentioned user name and password in login page.

The sql statement which you generate in ur login page will look some thing like that

select * from User where username = 'test' and password = 'test';

If the above statement returned a count of 1 then you will redirect user to default page of your application.

What if in the user name the attacker enter the following name

'sample' or 1=1 --

The sql statement which will be constructed will look like this:

select * from User where username = 'sample' or 1=1-- and password = 'test';

The above statement in sql will always return some result and the attacker will be redirected to default page of your application. why ? To know the reason lets digest the above statement:

The statement is self explanatory :). See that in user name the attacker has entered such info which will always be true. i.e. The attacker has basically altered your sql statement in such a way that he/she is asking for a user name where user name is 'sample' or 1=1 and commenting all statement after that. If no user with the user name of 'sample' is found then the statement 1=1 will always be true and -- will ignore the remaining statement because of --.


The attacker can also use some other statements after login. which may includes Insert,update,delete,drop etc.

How to avoid from SQL Injection:

Avoiding from SQL injection is not a rocket Science. You can do any thing from the following:

Use SP to execute your SQL statement, and do not construct the complete SQL in ur application.

Proper Validation (i.e. dont allow user to enter invalid character like -- etc)


The attacker can make different combination to attack the application, so always keep sql injecton in your mind while developing the application.
4:49 PM

1 Response to "How to avoid SQL Injection"

hitendra Says :
September 6, 2009 at 1:09 PM

nice info. thnx buddy.. i needed your some help.. m there in your yahoo messenger list with id icedroplet1999

Post a Comment