You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson explains SQL injection, a common and dangerous attack technique covered in OCR J277 Section 1.4. SQL injection targets databases through web applications and can result in data theft, data modification, or complete system compromise.
SQL (Structured Query Language) is the standard language used to communicate with and manage relational databases. Web applications commonly use SQL to:
For example, when you log in to a website, the application might run an SQL query like:
SELECT * FROM users WHERE username = 'john' AND password = 'secret123'
If this query returns a matching record, the user is granted access.
SQL injection is an attack where malicious SQL code is inserted into input fields (such as login forms or search boxes) that are then passed to a database query. If the application does not properly validate or sanitise user input, the injected SQL is executed by the database server.
SELECT * FROM users WHERE username = '[input]' AND password = '[input]'
' OR 1=1 --
SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = ''
OR 1=1 is always true, so the query returns all users. The -- is an SQL comment that ignores the rest of the query.OCR Exam Tip: You do not need to write SQL code in the exam, but you must be able to explain what SQL injection is and how it works. Describe it as: "entering malicious SQL code into an input field to manipulate the database query."
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.