sql injection


I have heard many times about sql injection. Can anyone help me, what is sql injection and practically how it is done?

Thank you
Who is Participating?
Kevin CrossChief Technology OfficerCommented:
Aside from the links already given, SQL injection is typically when you have a SQL statement executed from another piece of code like a web application that doesn't guard against the 'injection' of other T-SQL that is usually malicious in nature.

For example, a bad practice for checking user passwords on logon would be:

select * from users where username = 'john' and password = 'smith'

Aside from the other reasons this is bad, imagine if instead of smith I passed this as my password:

smith' or '1'='1

Or better shown:
select * from users where username = 'john' and password = 'smith' or '1'='1'

gr8gonzo here at EE did a nice job of explaining that and some other security items here:


Hope that helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.