StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
19129278
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
5
CommunityOwnedDate
CreationDate
2013-10-02T02:53:43.207
FavoriteCount
0
LastActivityDate
2013-10-02T14:05:19.657
LastEditDate
2013-10-02T14:05:19.657
LastEditorUserId
20860
OwnerUserId
20860
ParentId
19129094
PostTypeId
2
Score
0
ViewCount
0
LastEditorDisplayName
text
Body
I'm a training instructor for MySQL. I was telling a group of attendees about the risks of SQL injection, and one guy said, "show me." He handed me his laptop, which had a browser open to the login screen of his website (actually it was just a QA instance of it). Knowing nothing about his code or his database, I made an educated guess that he had an SQL query like yours, that he wasn't using query parameters, and that he wasn't escaping input properly. I entered a string for login including close-quote and some boolean expression, and then I entered random keystrokes for the password. His application authenticated my bogus login, and I was in. I don't think it's appropriate to show you exactly how I did it, but it isn't rocket science -- minimal knowledge of boolean algebra is all you need. But the point is that SQL injection of a SELECT query can allow illicit actions, just like SQL injection of a statement that modifies data. <hr> Re your comments on bad info: It's true that query parameters can't be spoofed, and there's no need to use escaping functions. But query parameters work only in places where you would normally use a single string, date, or numeric literal. Query parameters can't be used for dynamic table names, column names, lists of values, SQL keywords, expressions, etc. For those, you still need to interpolate application variables into your SQL query before calling prepare(), like old-school, unsafe programming. Therefore you still need to be careful to avoid SQL injection vulnerabilities. The best way to do that is to whitelist content before including it in SQL queries. See my presentation <a href="http://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies" rel="nofollow">SQL Injection Myths and Fallacies</a> for more information, or a <a href="http://www.percona.com/webinars/2012-07-25-sql-injection-myths-and-fallacies" rel="nofollow">webinar of me presenting it</a> (free, but requires registration). I also wrote about SQL injection in a chapter of my book, <a href="http://pragprog.com/book/bksqla/sql-antipatterns" rel="nofollow">SQL Antipatterns: Avoiding the Pitfalls of Database Programming</a>.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POPrepared statement security while fetching
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USBill Karwin
UserOwnerUserId
1. USBill Karwin
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. This table or related slice is empty.
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.