# What you'll learn

After watching this video, you'll be able to:
* Describe an SQL injection.
* Compare an SQL statement and an SQL injection statement.

# SQL injection

* A structured query language injection is a common attack on relational databases.
* Vulnerabilities found in databases such as unpatched software or improper configuration allow for malicious attacks to occur using SQL injections.
* SQL injections can also occur within SQL statements submitted to relational databases.

# Common SQL attack

* Attackers implement common SQL attacks to compromise a database.
* A common attack is the submission of suspicious characters in an SQL statement.

![image.png](attachment:66bb651c-5fd5-4959-a9cf-97103850ae1c.png)

**For instance:**
* Characters such as **single** or **double** quotes can be used to alter an SQL statement that uses string concatenation.
* By abusing quotes, attackers may purposefully submit SQL statements lacking proper criteria and make an otherwise false statement true.
* Another common character that attackers abuse is this **semicolon** because it separates SQL commands.
* Since a semicolon ends a command, it can be used to end the original SQL command and start another command that can attack the system.
* A fourth type of abuse common character is the **dash** character.
* In SQL syntax, two dash characters begin an inline comment.
* This can allow attackers to eliminate the value of the second half of an SQL query.

# SQL Injection command

![image.png](attachment:bc13a26d-48af-48fa-a5c7-ee635040d041.png)

Now let's look at an example of an SQL statement that is vulnerable to an SQL injection attack.
* The first two lines of this Python code are getting a **`username`** and **`password`** from the request arguments.
* It then creates an SQL statement by concatenating several strings that form a **`SELECT`** statement.
* It starts with **`SELECT name FROM user WHERE username =`** and then it uses the plus character to concatenate whatever was sent in the request parameter **`username`**.
* Then it continues to concatenate the words **`AND password =`**, and again, it blindly uses the plus character to concatenate whatever was sent in the request parameter **`password`**.
* Finally, it sends that resulting string to the SQL database engine to be executed.
* This is where the attack gets carried out.
* If the attacker was to use some of the suspicious characters we discussed, the statement might not do what the programmer had originally intended.

# SQL Injection prevention

**How do you prevent this type of SQL injection attack from occurring?**

The secret is to use **placeholders**.

![image.png](attachment:6db8afa0-cc33-4c02-82ae-b2960dbb738d.png)

In the Python code shown, the same two lines of code are used to get the **`username`** and **`password`** from the request.
* What is different is the SQL statement.
* Instead of concatenating strings, it uses the **question mark as a placeholder** for **where the variable should be substituted**.
* In the last line of code, you see that not only is the database engine executing the SQL statement, but it has also then passed the two variables that are to be used for substitution.
* It will use these in place of the question marks.

# Differences between the SQL statements

![image.png](attachment:44318001-6063-4f49-aa59-f80618ae9f79.png)

The difference is subtle but important.
	• **Case 1 - `using string concatenation`**: the database will interpret the entire string, including any malicious commands that have been injected.
	• **Case 2 - `variable substitution placeholders`**: the database knows that the variables are data and not to be interpreted.
		○ For example, if the variable contained the string **`DROP TABLE USER;`** it would not be executed.
		○ The words would simply be inserted into the database with no tables being dropped.

Just to reiterate:
* When **using string concatenation**, the words **`DROP TABLE USER;`** would be **interpreted as a command and executed** by the database.
* Whereas when **using placeholders**, the words **`DROP TABLE USER;`** would be **interpreted as data (not as command & neither executed)** and safely inserted into the database as just text.

# Summary

In this video, you learned that:
* SQL injection is a common attack on relational databases.
* SQL injections can also occur within SQL statements submitted to relational databases.
* Attackers implement common SQL attacks by submitting suspicious characters like **single quotes**, **double quotes**, **semicolons** and **dashes** to compromise a database.
* You looked at how an SQL statement can be vulnerable and how to prevent it by using **placeholders**.