1

I'm a beginner in the field of databases, and I'm about to understand, how free text inputs for queries might be used to compromise a database via SQL injection.

Actually, the relevant xckd sums it up perfectly:

enter image description here

This certain comic implies that if I don't allow users to form ANY kind of input that contains SQL commands (like DROP, UPDATE, INSERT INTO, etc.) then "illegal" SQL queries can't be done.

Is there anything I miss? Or am I right?

Zoltán Schmidt
  • 1,286
  • 2
  • 28
  • 48
  • 2
    And no, the strip is not about removing sql commands from user's input. It is about [doing things right](http://stackoverflow.com/a/5468460/11683). – GSerg Apr 15 '16 at 13:40

1 Answers1

2

You don't have to ban all SQL commands from your inputs, you just need to make sure they are only ever treated as free text so that they cannot be accidentally executed as a command.

This is probably a good place to start:

https://en.wikipedia.org/wiki/SQL_injection

Simon
  • 1,081
  • 9
  • 14