SQL Injection

technique used for manipulating Web services that send SQL queries to a RDBMS to alter, insert, or delete data in a database

SQL injections work more often than they should

SELECT * FROM user_data WHERE last_name = ‘Tom’ OR ‘1’ = ‘1’

display the user_data associated with the user TOM

give us everything because 1 = 1

SQL injections are perfect examples of weaknesses in Integrity Controls