Demo On SQL Injection

 

Design the Web Page using HTML in Eclipse as follows.

 

 

In the Java Servlet we have to write the code for Database connectivity. Here is the sample snippet in figure 3.

 

 

Once we execute with the proper input the program works properly as follows.

 

 

 

This is the time to perform SQL Injection. Let’s see how this function works. Here we have two input fields named User name and password. These fields are vulnerable. Because the attacker can give some tricky statement such that he can bypass the database server even if the password does not match. For an example, if the user gives the input in the password field as follows 'or '1'='1 then irrespective of any input you have given in the Username field the result always shows Success.

 

Because of OR 1=1 statement in the where clause it always returns True. So this way any attacker can play with the sql statement that we thought was unbreakable. This is called SQL Injection.

 

 

 

The only way to prevent SQL Injection attacks are by using parameterized queries that includes prepared statements. The application code should not get by the user input directly. The above sql statement snippet can be changed as follows to prevent sql injection.