SQL injection is a hacking technique that attempts to gain access to the system by sending escape characters in a SQL command and injecting a rogue command into the SQL statement. It happens when a web site allows user inputs to pass directly to the command string, and be executed by SQL without any filtering for unwanted command characters. Needless to say, it's something we don't want happening in our Content Management System.
An example of SQL injection is where an input into a form contains an unexpected set of characters. Suppose you had an SQL statement that accepted a product name as input and searched for it in the Products table of your database. The SQL statement might look like this:
SQLstatement = "SELECT * FROM Products WHERE ProductName ='" & ProductName & "';"
If a user entered Chair
, the resulting statement would look like:
SELECT * FROM Products WHERE ProductName ='Chair';
This is perfectly fine. Your SELECT
statement will find any product named Chair...