0
0
SQLquery~20 mins

How string concatenation creates vulnerabilities in SQL - Practice Exercises

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
SQL Injection Defender
Get all challenges correct to earn this badge!
Test your skills under time pressure!
query_result
intermediate
2:00remaining
SQL Injection Risk from String Concatenation

Consider the following SQL query built using string concatenation in an application:

sql = "SELECT * FROM users WHERE username = '" + user_input + "';"

If user_input is admin'; DROP TABLE users; --, what will be the result of executing this query?

SQL
SELECT * FROM users WHERE username = 'admin'; DROP TABLE users; --
AThe query ignores the DROP TABLE command and only returns data for 'admin'.
BThe query returns no data and causes a syntax error.
CThe query safely returns data for the username including the special characters.
DThe query returns user data for 'admin' and then deletes the entire users table.
Attempts:
2 left
💡 Hint

Think about how the input breaks out of the string and adds a new command.

🧠 Conceptual
intermediate
1:30remaining
Why String Concatenation is Unsafe for SQL Queries

Why is building SQL queries by concatenating strings with user input considered unsafe?

ABecause concatenated strings use more memory than parameterized queries.
BBecause it can allow attackers to inject malicious SQL code that the database will execute.
CBecause string concatenation is slower than using prepared statements.
DBecause concatenation causes syntax errors in SQL statements.
Attempts:
2 left
💡 Hint

Focus on security risks related to user input.

📝 Syntax
advanced
1:30remaining
Identify the Vulnerable SQL Query Syntax

Which of the following SQL query constructions is vulnerable to SQL injection due to string concatenation?

Asql = "SELECT * FROM products WHERE id = " + product_id;
Bsql = "SELECT * FROM products WHERE id = ?"; // using parameter binding
Csql = "SELECT * FROM products WHERE id = $1"; // using prepared statement
Dsql = "SELECT * FROM products WHERE id = :id"; // named parameter
Attempts:
2 left
💡 Hint

Look for direct concatenation of variables into the query string.

🔧 Debug
advanced
2:00remaining
Debugging a String Concatenation Vulnerability

A developer wrote this code to get user info:

query = "SELECT * FROM users WHERE email = '" + email + "'";

Users report that entering an email with a single quote causes errors. What is the main problem?

AThe email variable is not converted to lowercase.
BThe query is missing a semicolon at the end.
CThe single quote in the email breaks the string, causing a syntax error.
DThe query uses double quotes instead of single quotes.
Attempts:
2 left
💡 Hint

Think about how quotes inside strings affect SQL syntax.

optimization
expert
2:30remaining
Best Practice to Prevent Injection from String Concatenation

Given the risk of SQL injection from string concatenation, which approach best prevents this vulnerability while querying a database?

AUse parameterized queries or prepared statements to separate code from data.
BEscape all single quotes in user input before concatenation.
CLimit user input length to prevent injection.
DUse string concatenation but validate input with regex.
Attempts:
2 left
💡 Hint

Think about how to separate user data from SQL commands safely.