Many web applications take user input from a form so the user input is used literally in the construction of a SQL query submitted to a database. For example SELECT productdata FROM table WHERE productname = 'user input product name' so SQL injection attack involves placing SQL statements in the user input the SQL injection is the type of attack to get login acces from the any website without having password and user name the sql is a special-purpose programming language designed for managing data held in a relational database management systems (RDBMS) we can modifiy these data using sql injection we can also modifiy insert, query, update and delete, schema creation and modification, and data access control

SQL injection
sql injection

An Example SQL Injection Attack

suppose we have entered 
x‘ OR ‘x’ = ‘x this string as user name or password
This input is put directly into the SQL statement within 
the Web application
$query = “SELECT prodinfo FROM prodtable 
WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”;

Creates the following SQL:
SELECT prodinfo FROM prodtable 
WHERE prodname = ‘x‘ OR ‘x’ = ‘x’
Attacker has now successfully login 

Other injection possibilities

Using SQL injections, attackers can:

  • Add new data to the database
  • Modify data currently in the database
  • Perform an UPDATE in the injected SQL
  • Often can gain access to other user’s system capabilities by obtaining their password

sql injection