Next: , Previous: , Up: SQL Injection   [Index]

1.1.3 How SQL Injection Works

If you use user input without modification, a malicious user can pass unexpected data and fundamentally change your SQL queries.

If your code looks something like this:

UPDATE users
    SET first_name="' + req.body.first_name +  '" WHERE id=1001;

You would expect the generated SQL to be:

UPDATE users 
    SET first_name="Liz" WHERE id=1001;

But if your malicious user types their first name as:

Liz", last_name="Lemon"; --

The generated SQL then becomes:

UPDATE users
    SET first_name="Liz", last_name="Lemon"; --" WHERE id=1001;

Now all of your users are named Liz Lemon, and that’s just not cool.