Secure password storing • www.martinstoeckli.ch • 3/13

SQL-Injection

As long as developers of a website do not explicitely pay attention, input formulars are often vulnerable to SQL-injection. How easily this can be done, shall be demonstrated with a small example.

Fishes per water type:

Example SQL-injection
Table: fishes
name water
Trout fresh
Shark salt
Carp fresh
Blowfish salt
Table: users
name password
Nemo nautilus
Blackbird treasure
Moby Dick orca
Piccard submarine2012
SELECT name, water FROM fishes WHERE water = '?'