DevStudent

Hacking database by entering input data which maninpulates sql queries is

known as sql injection.

Example:

Expected: select * from tbl_data where name='admin' and pwd='password'
Hacked: select * from tbl_data where name='admin' and pwd=' or 'a'='a'

With sql injection attacker may overwrite or delete data in database, can make app to behave in a different way.


SQL injection can be done using post and get parameters, cookie values, form fields and header values.

Parmeterized sql queries will help in controlling sql injection.

In .NET - > ADO.NET -> SQL queries using parameters(@name) to append values in query is recommended.


Input client side validations will also mitigate sql injection issues.

stored procedures will reduce sql injection.