Thursday, 07 July 2005 23:57
SQL Injection is an application security hole. It happens when an application uses a string passed by user in SQL statement. Usually, string is passed to web server through HTTP request. For example:
String str = request.getParameter("name");
String sqlStr = "select * from account where id=1 and name= "+str;
sqlStr could be "select * from account where id=1 and name = kevin";
sqlStr could be "select * from account where id=1 and name = kevin or id = 2";
