SQLi
Definition
SQL Injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It typically occurs when user input is improperly sanitized and directly included in SQL queries, allowing attackers to execute arbitrary SQL code. This can lead to unauthorized data access, data modification, or even complete control over the database server.
Secure Settings Example
# Using parameterized queries to prevent SQL injection in Python with SQLite
import sqlite3
def get_user_data(user_id):
connection = sqlite3.connect('example.db')
cursor = connection.cursor()
# Parameterized query
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
return cursor.fetchall()
Insecure Settings Example
# Vulnerable to SQL injection due to string concatenation in Python with SQLite
import sqlite3
def get_user_data(user_id):
connection = sqlite3.connect('example.db')
cursor = connection.cursor()
# Directly concatenating user input into the SQL query
cursor.execute("SELECT * FROM users WHERE id = " + user_id)
return cursor.fetchall()