1

I'm a beginner in the field of databases, and I'm about to understand, how free text inputs for queries might be used to compromise a database via SQL injection.

Actually, the relevant xckd sums it up perfectly:

enter image description here

This certain comic implies that if I don't allow users to form ANY kind of input that contains SQL commands (like DROP, UPDATE, INSERT INTO, etc.) then "illegal" SQL queries can't be done.

Is there anything I miss? Or am I right?

Improve this question
1
  • 2
    And no, the strip is not about removing sql commands from user's input. It is about doing things right. Commented Apr 15, 2016 at 13:40

1 Answer 1

Reset to default
2

You don't have to ban all SQL commands from your inputs, you just need to make sure they are only ever treated as free text so that they cannot be accidentally executed as a command.

This is probably a good place to start:

https://en.wikipedia.org/wiki/SQL_injection

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.