In a SQL injection attack, the attacker provides malicious form input that is fed into a DB server.
Outcomes may include data deletion, bypassing access control, etc.
Sample Buggy Login
Server side code:
results = db.execute(
"SELECT * FROM Users WHERE user='" + form["user"] + "' " +
"AND pwd='" + form["pwd"] + "'")
if results: login(results)
else: login_failed(form)
An attacker can supply ' or 1=1 --
as the value for user
. This will make the effective code be:
results = db.execute("SELECT * FROM Users WHERE user='' OR 1=1 -- ' AND pwd='')
--
is a comment, which makes the rest of the command be ignored. The expression always returns true and thus the adversary bypasses the authorization check.