Next: SQL Injection in Action, Previous: Real World, Up: SQL Injection [Index]
If you use user input without modification, a malicious user can pass unexpected data and fundamentally change your SQL queries.
If your code looks something like this:
UPDATE users
SET first_name="' + req.body.first_name + '" WHERE id=1001;
You would expect the generated SQL to be:
UPDATE users
SET first_name="Liz" WHERE id=1001;
But if your malicious user types their first name as:
Liz", last_name="Lemon"; --
The generated SQL then becomes:
UPDATE users
SET first_name="Liz", last_name="Lemon"; --" WHERE id=1001;
Now all of your users are named Liz Lemon, and that’s just not cool.