How SQL Injection Works

How SQL Injection Works Hot

Tag it:

Articles Reviews Structured Query Language

Written by JOHN

Tuesday, 07 November 2006

{mos_sb_discuss:29}

Constructing a database query is a perfectly straightforward process. It typically proceeds something like this (for demonstration purposes, we'll assume that you have a database of wines, where one of the fields is the grape variety):

You provide a form that allows the user to submit something to search for. Let's assume that the user chooses to search for wines made from the grape variety "lagrein."

You retrieve the user's search term, and save it by assigning it to a variable, something like this:

SnyderSouthwell_5084.book  Page 250  Saturday, July 16, 2005  6:14 AM
 
 
 
 
 
 
 
$variety = $_POST['variety'];

So that the value of the variable $variety is now this:

lagrein

You construct a database query, using that variable in the WHERE clause, something like this:
```
$query = "SELECT * FROM wines WHERE variety='$variety'";
```
so that the value of the variable $query is now this:
```
SELECT * FROM wines WHERE variety='lagrein'
```
You submit the query to the MySQL server.
MySQL returns all records in the wines table where the field variety has the value "lagrein."

User reviews

There are no user reviews for this item.

Add new review

Last Updated ( Sunday, 11 February 2007 )

< Prev		Next >

[ Back ]

Who's Online
We have 1 guest online

Latest Articles

1.	Delphi Programming Tutorial #22 - SQL Part Four (0) (0) Category: Structured Query Language

2.	Delphi Programming Tutorial #21 - SQL Part Three (0) (0) Category: Structured Query Language

3.	Delphi Programming Tutorial #11 - SQL Part Two (0) (0) Category: Structured Query Language

4.	Delphi Programming Tutorial #10 - SQL Part One (0) (0) Category: Structured Query Language

5.	INSERT SQL Command (0) (0) Category: Structured Query Language

Grab a subscription!