How can SQL Injection happen?

1.2 How Can SQL Injection Happen?

previous|next

Let us review some classic vulnerabilities in SQL code that can be exploited by using SQL injection.

	Click here to see an example of SQL injection attack using user-supplied column-comparison value.
	Click here to see an example of SQL injection attack using user-supplied table name.

To immunize your code against SQL injection attacks, you must use bind arguments (either automatically with static SQL, or explicitly with dynamic SQL), or validate and sanitize all input concatenated to dynamic SQL.

	Click here to see a counter-example of avoiding the SQL injection attack shown in the example 1 above by using bind arguments.
	Click here to see a counter-example of avoiding the SQL injection attack shown in the example 2 above by using DBMS_ASSERT.

Although any program or application may be vulnerable to SQL injection, Web applications are at higher risk because an attacker can perpetrate SQL injection attacks without any database or application authentication.

Click here for a SQL injection vulnerability assessment flow chart.