In this article we start a series of articles which will explore some basic security issues related to injecting SQL statements into web forms or URL parameters.
Examples of code with security issues and how to avoid them are presented.
So let's start with a simple login form implemented with the following code:
In this example, the code checks to see if more than one database record has been returned, thereby assuming that the credentials provided are correct.
The biggest mistake involves concatenating the values received from the form with the SQL statement, thus allowing the user to manipulate the instruction to his or her own pleasure.
Regardless of the user name entered, simply type in the password the following text if you choose to indicate that the login has been successfully completed: o' or 1=1 #
With this text the SQL statement will always return a record because 1 equals 1. The # at the end lets you ignore the rest of the statement as it is the symbol for comments in MySQL.
The solution to this problem is to use parameters, preparing the statement before executing it. So the following code resolves this problem: