O'Reilly logo

SQL Antipatterns by Bill Karwin

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Antipattern: Execute Unverified Input As Code

SQL injection happens when you interpolate some content into an SQL query string and the content modifies the syntax of your query in ways you didn’t intend. In the classic example of SQL Injection, the value you interpolate into your string finishes the SQL statement and executes a second complete statement. For instance, if the value of the $bug_id variable is 1234; DELETE FROM Bugs, the resulting SQL shown earlier would look like this:

SQL-Injection/anti/delete.sql
 
SELECT​ * ​FROM​ Bugs ​WHERE​ bug_id = 1234; ​DELETE​ ​FROM​ Bugs

This type of SQL Injection can be spectacular.[26]

images/SQL_injection/exploits_of_a_mom.png

Usually these ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required