Over the next couple of weeks I am going to post some security snippets that will make our web a hug happy place. On the menu for today: SQL Injection / Spoofing (I have heard it called both names). So, imagine a log in screen with a username and password. We would expect Request(“user”) to a be a string, such as “Ryan”. A matching query for that screen may look similar to this:
SELECT password FROM tUsers
WHERE username = ‘Ryan' What if I were to type the string, ” ‘’ OR username LIKE ‘c%’”, into the text field.
SELECT password FROM tUsers
WHERE username = ‘'
OR username LIKE ‘c%'This would return all passwords that match a username starting with ‘c’. Now that you see the flaw, here is more on how to prevent it:
