SQLquery~30 mins

How string concatenation creates vulnerabilities in SQL - Try It Yourself

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

How string concatenation creates vulnerabilities

📖 Scenario: You are building a simple user login system for a website. The system needs to check if a username and password match a record in the database.To do this, you write a SQL query that uses string concatenation to insert the username and password directly into the query.

🎯 Goal: Learn how using string concatenation to build SQL queries can create security risks like SQL injection.You will create a simple SQL query using string concatenation and see why it is dangerous.

📋 What You'll Learn

Create a SQL query string that uses string concatenation to insert username and password variables

Add a variable for the username input

Add a variable for the password input

Write the full SQL query string using concatenation of these variables

Show how the final query string looks with the variables inserted

💡 Why This Matters

🌍 Real World

Web applications often need to check user credentials against a database. Understanding how SQL injection works helps developers write safer code.

💼 Career

Database developers, backend engineers, and security professionals must know how to avoid SQL injection to protect applications and user data.

Progress0 / 4 steps

Create username and password variables

Create two variables called username and password and set them to the exact values 'admin' and '1234' respectively.

SQL

# Create variables username and password with exact values
# Your code here

Need a hint?

Use simple assignment statements to create the variables.

Create a SQL query string using string concatenation

Create a variable called query that builds a SQL SELECT statement as a string. Use string concatenation to insert the username and password variables into the query exactly like this: "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'".

SQL

username = 'admin'
password = '1234'
# Create the query string using concatenation
# Your code here

Need a hint?

Use the + operator to join strings and variables.

Explain why this string concatenation is dangerous

Add a comment line explaining that using string concatenation to build SQL queries can allow attackers to insert malicious SQL code, causing SQL injection vulnerabilities.

SQL

username = 'admin'
password = '1234'
query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"
# Add a comment explaining the risk of SQL injection
# Your code here

Need a hint?

Write a clear comment about the risk of SQL injection.

Show an example of a malicious input

Change the username variable to the exact string "' OR '1'='1" to simulate an attacker trying to bypass login. Then update the query variable using the same string concatenation method to show how the query becomes unsafe.

SQL

username = 'admin'
password = '1234'
query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"
# This method is dangerous because attackers can inject SQL code through username or password inputs causing SQL injection
# Change username to a malicious string and update query
# Your code here

Need a hint?

Use the exact malicious string for username and rebuild the query string.