Security is a major concern for any web application. As experts say, no web application can be 100 % secure but we can surely try to minimize the security threats. SQL injection is just one area where your web application can be venerable. In this article I will concentrate on SQL injection.
Database, is an integral part of any dynamic web site, where we store the product information, user information, and many more. This stored data some time can be of very sensitive nature like address, email, or sometime financial details. It is the responsibility of the web site company to protect this data from being stolen. Using SQL injection, someone can corrupt this data or steal it or if the data is not fully protected then it can be even deleted.
SQL injection rely on the SQL queries that you perform on your database. A hacker will try to inject his own SQL script in the SQL query that you execute against your database. Suppose you allow your visitors to search for products on your website, someone can embed SQL script in the product description that you expect them to enter. So when you are going to search your database for that description, you are in fact executing the hacker’s sql script along with your search script. As I said before, this injected SQL script can be of very very serious nature.
Now to protect your application against SQL injection, you need to avoid using the simply concatenate SQL query and you should try to use parameterized SQL query. The parameters in a SQL query are considered the values for a single column and they cannot be executed as an independent SQL script. There are many other ways to protect against SQL injection but parameterized query will provide your application the much needed security.