sql-injection
sql-injection
Server-side data
Client Server
Column
SELECT Age FROM Users WHERE Name=‘Dee’; 28
UPDATE Users SET email=‘[email protected]’
WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);
DROP TABLE Users;
Server-side code
Website
frank’ OR 1=1); --
20
15 % of vulnerabilities that
are SQL injection
10
0
02
03
04
05
06
07
08
09
10
11
12
13
14
20
20
20
20
20
20
20
20
20
20
20
20
20
http://web.nvd.nist.gov/view/vuln/statistics
http://xkcd.com/327/