https://stackoverflow.com/questions/21886430
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe language that's being used is not the problem.
The problem is building SQL statements using data from untrusted sources.
It doesn't matter if it's PHP:
$sql = "SELECT * FROM users WHERE id = '$id'";
or if it's in C:
sprintf( sql, "SELECT * FROM users WHERE id = '%s'", id );
In both cases, if the id or $id variable is untrusted input from an outside data source, the SQL being built is tainted. In either case, if an attacker passes in an id of '; drop table users;, then you're building:
SELECT * FROM users WHERE id = ''; drop table users;
The answer to avoiding SQL injection is: do not build SQL statements using outside data.
