Home/ Questions/Q 590097
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T15:29:35+00:00

So, I read article about SQL injection and there was an example: SELECT *

  • 0

So, I read article about SQL injection and there was an example:

SELECT * FROM table_name WHERE smth = 'x'; 
UPDATE table_name SET smth ='smth@email.addr' WHERE user = 'admin';

Why it doesn’t work? Or it is an old article and nowadays this way is nonsense? So how hackers update mysql then?
Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Most sites nowadays are using parametized SQL — not inline SQL. The situation would occur above if for instance, there was parsed, inline SQL, similar to the following:

    Non-Parameterized Pseudo

    string sql = "SELECT * FROM table_name WHERE smth='" + UserInput + "'";
ExecuteSql(sql);

    …where UserInput defines an element on the website.

    Instead of adding valid data to the UserInput field, you add, 

    UserInput = '';DROP table_name;

    …you would actually be adding new logic to the end of the query, resulting in a malicious use of the system.

    Parametized statements eliminate the possibility of SQL injection, since you can’t modify the structure of the query by inserting logic into the signature.

    If you attempted to set the UserInput field to a malacious query, but the site used parameters in the statement, then you would be out of luck.

    Parameterized Pseudo:

    Adapter proc;
proc.StoredProcedure = "GetUserNames"
proc.AddParameter("@USER",UserInput);
proc.Execute();

    …as @USER is now equal to the literal “‘\;DROP table_name;”, which the SQL will treat as a regular ol’ parameter.

    • 0