Since there're lot of SQL Injection attacks happening on the internet these days, I decided to write a little about it.

What is SQL Injection?

SQL injection is a type of cyber-attack in which malicious code is inserted into an SQL statement, resulting in data being compromised. This can be done through user input, such as via a form on a web page.

How to Prevent SQL Injection?

To prevent SQL injection, you need to validate all user input to ensure that it is safe before inserting it into an SQL statement. You can do this by using whitelists, which specify the allowed characters, or by using prepared statements, which create a safe environment for executing SQL statements. In addition, you should never trust user input. Even if you have validated it, it could still be malicious. Always assume that it is malicious and handle it accordingly. If you follow these guidelines, you can help to prevent SQL injection attacks on your web application.

On stackexchange website, there's an interesting question being asked saying "SQL injection is 17 years old. Why is it still around?". The replies are very funny and informational like there's one answer that says, "You know that malaria is still around, right? and that actually kills people". There's also another reply that says, "There is no general fix for SQLi because there is no fix for human stupidity." I somehow agree with the replies there.


In the google, if you search for SQL demos, you will see a lot of google dorks to try in the web. But I recommend you not to do any of that because we can't simply go to other people websites and do random things. It's always to make your own lap on virtual machines or just plug and play DVWA labs or BWAPP.

Happy hacking :)