Home > Interview Questions > Security > What is SQL INJECTION?


by Raja   on 26/05/2011   Category: Security   |  Level: Advance   |  Views: 7085    |  Points: 25     |  Bronze 

SQL injection is a technique used to attack database from web application. It’s a non validated input vulnerable to send with SQL queries from web applications and execute these queries at database.

For example there is a page like to display the employee details page based on the query string passed from some other page, URL like as shown below

Based on the above query string, application will build the query like as sown below
Select empname, address, phone, pin, from employee where empid = 47;

Above query will execute at back end and returns the employee details to display in employee page. But attacker changes the query string values like below and will execute at database
http://www.employee.com/details/employe.aspx?Empid=47; drop table employee

So application will build query like
Select empname, address, phone, pin, from employee where empid = 47;
Drop table employee;

And execute both the query in single statement at database; second query will delete the employee table. These kinds of sending/inserting SQL malicious commands from input called as SQL injection.
To avoid SQL injection, find the below link to get more information.


« What is the use of FIRST() function in SQL SERVER?
» How do you handle exceptions without using try catch blocks in asp.net?
Post Question  |  Question Home

Recent Posts

User Responses

No response found, be the first to review this question.

Submit feedback about this code snippet

Please sign in to post feedback

Latest Posts