SQL Injection

According to OWASP, an organization who focus on security measure, SQL Injection is number one in top 10 Vulnerabilities that might happen any companies.

First things first, what is an Injection? Basically, it is a way to destroy our database from the client side. It is happening when for example, you ask an user for their name and instead they give the SQL statement that unknowingly will be running in our database.

For example, we have a user API to call email using the

email = "juan@gmail.com"

whenever user input their email, a query will run to fetch the data of the email from table users.

For example

SELECT * FROM Users WHERE email = "juan@gmail.com"

It will be okay if it is just normal email request, but how if the user input the email as

SELECT * FROM Users WHERE email = "juan@gmail.com'; DELETE FROM Users WHERE email = "juan@gmail.com";"

Now the query will run

SELECT * FROM Users WHERE email = "juan@gmail.com'; DELETE FROM Users WHERE email = "juan@gmail.com";

The user can delete our database now! The most dangerous thing is he can access all our data now and it will be super dangerous. Make sure you don’t do SQL Injection in your code. I will add about how we can avoid the SQL I njection later, see ya!