• SQL injection attacks use a series of malicious SQL queries to directly manipulate the database
  • An attacker can use a vulnerable web application to bypass normal security measures and obtain direct access to valuable data
  • SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches
  • This attack is possible only when the application executes dynamic SQL statements and stores procedures with arguments based on the user input

When this username is sent to the server the condition always gets true, which allows attackers to gain access to database and execute the query

ex:Login-username[:a' or 'a'='a]

// server side vulnerable code
String uname = request.getParameter("uname");
String pwd = request.getParameter("pwd");
PreparedStatment ps = con.preparStatment("select * from ecempinfo where uname='" + uname + "' and pwd='" + pwd + "'");

因 PreparedStatment 是繼承Statment,所以使用PreparedStatment不要用字串去串接,應使用"?"占位字元,以防止SQL Injection。