Consider a web application that constructs this SQL query by directly inserting user input username without sanitization:
SELECT * FROM users WHERE username = 'user_input';
If the user inputs ' OR '1'='1, what will the query return?
SELECT * FROM users WHERE username = '' OR '1'='1';
Think about how the OR condition affects the WHERE clause.
The injected OR condition '1'='1' is always true, so the WHERE clause matches all rows, returning the entire users table.
Given this query construction in code:
query = "SELECT * FROM products WHERE category = '" + user_input + "';"
Which part allows SQL injection?
Consider how user input is included in the query.
Concatenating user input directly into the query string without sanitization or parameterization allows attackers to inject malicious SQL code.
Choose the correct SQL query syntax using parameters to safely query a user by username.
Look for the syntax that uses placeholders for parameters.
Using ? as a placeholder allows safe binding of user input, preventing injection.
Examine this code snippet:
query = f"SELECT * FROM orders WHERE order_id = {order_id};"Assuming order_id comes from user input, why is this vulnerable?
Think about how user input is included in the query string.
Directly inserting user input into the query string without checks allows attackers to inject malicious SQL code.
Given a web app querying user data by email, which option both prevents SQL injection and optimizes query execution?
Consider both security and performance aspects.
Parameterized queries prevent injection, and indexing the email column speeds up lookups.