SQL Injection is the most common and dangerous security issue these days where a person can
1) Get data from your database
2) Add Malicious script in your database
3) Get access to your site
4) Delete tables from your database
5) Manipulate your database
Why SQL Injection occurs
SQL injection occurs because your web developer did not pup proper data validation on the data taken from the user before using it in any SQL Query. So we can say that it is all programming error and it has nothing to take with the Web hosting, technology used etc.
Example of SQL injection
Lets have a simple server side code without any validation:
$inputData = $_POST["user_id"];
$SQL_Query = ” select * from user_table where user_id = ” . $inputData;
Let’s have a look at different user’s input:-
1) if user enters 7 or 1 = 1
The SQL statement will become select * from user_table where user_id = 7 or 1 = 1
2) if user enters 7 ; drop table user_table;
The SQL statement will become select * from user_table where user_id = 7 ; drop table user_table;
How to prevent SQL injection
1) Do not use direct queries: Use prepare statements and stored procedures
2) Validate user data: Always validate all the data provided by user and escaping all user supplied inputs