SQL injections 

SQL injection is one of more popular vulnerabilities arise in applications.SQL injection is the most bad situation for data owners when data was lost, and the most easy to prevent situation at the same time. The primary means of preventing SQL injection are sanitization and validation, which are implemented as parameterized queries and stored procedures.

When malefactor (or any user) try to connect to database and use the standart input form system generates the request to database looks like:

SELECT * FROM db_user WHERE username='' AND
                            password=''

Suppose an attacker can substitute arbitrary strings for and . In that case, the authentication can be bypassed by supplying the following with an arbitrary password: realUserLogin' OR '1'='1

In this case the system will create the following query:

SELECT * FROM db_user WHERE username='realUserLogin' OR '1'='1' AND password=''

If realUserLogin is a valid user name, this SELECT statement will work for this realUserLogin record in the table. The password is never checked because username='realUserLogin ' is true; consequently, the items after the OR are not tested. As long as the components after the OR generate a syntactically correct SQL expression, the attacker is granted the access of realUserLogin .

Similarly, an attacker could supply the following string for with an arbitrary username: ' OR '1'='1

In the situation when realUserLogin is not valid this select will work well because second sentence is true always. producing the following query: SELECT * FROM db_user WHERE username='' AND password='' OR '1'='1'

'1'='1' always evaluates to true, causing the query to yield every row in the database. In this scenario, the attacker would be authenticated without needing a valid username or password.

If attacker doesn't know realUserLogin (which may be simple, like admin :) ) he may use other way to get date (depends on type of using database):

He can put instead loginName next string for oracle ' OR '1'='1' and rownum=1-- or another one for MySQL ' OR '1'='1' LIMIT 1--

Code Example in Java

This noncompliant code example shows JDBC code to authenticate a user to a system and permits a SQL injection attack by injection of validuser' OR '1'='1

  public void checkAuthorization (String username, char[] password) throws SQLException {
    Connection connection = getConnection();
    if (connection == null) {
   ...   
    }
    try {
      String pwd = hashPassword(password);
      String sqlString = "SELECT * FROM db_user WHERE username = '"
                         + username +
                         "' AND password = '" + pwd + "'";
      Statement stmt = connection.createStatement();
      ResultSet rs = stmt.executeQuery(sqlString);
 
      if (!rs.next()) {
        throw new SecurityException(
          "User name or password incorrect"
        );
      }
 
      // Authenticated; proceed
    } finally {
      try {
        connection.close();
      } catch (SQLException x) {
        // Forward to handler
      }
    }
  }

Code Example with PreparedStatement

The java.sql.PreparedStatement class properly escapes input strings, preventing SQL injection when used correctly. However, the prepared statement still permits a SQL injection attack by incorporating the unsanitized input argument username into the prepared statement.

  public void checkAuthorization (String username, char[] password) throws SQLException {
    Connection connection = getConnection();
    if (connection == null) {
      ...    }
    try {
      String pwd = hashPassword(password);
      String sqlString = "select * from db_user where username=" +
        username + " and password =" + pwd;     
      PreparedStatement stmt = connection.prepareStatement(sqlString);
 
      ResultSet rs = stmt.executeQuery();
      if (!rs.next()) {
        throw new SecurityException("User name or password incorrect");
      }
 
      // Authenticated; proceed
    } finally {
      try {
        connection.close();
      } catch (SQLException x) {
        // Forward to handler
      }
    }
  }

Compliant Solution with PreparedStatement

This compliant solution uses a parametric query with a ? character as a placeholder for the argument. This code also validates the length of the username argument, preventing an attacker from submitting an arbitrarily long user name.

 public void checkAuthorization (String username, char[] password) throws SQLException {
  Connection connection = getConnection();
  if (connection == null) {
    ...  }
  try {
    String pwd = hashPassword(password);
 
    // Validate username length
    if (username.length() > 8) {
      // Handle error
    }
 
    String sqlString =
      "select * from db_user where username=? and password=?";
    PreparedStatement stmt = connection.prepareStatement(sqlString);
    stmt.setString(1, username);
    stmt.setString(2, pwd);
    ResultSet rs = stmt.executeQuery();
    if (!rs.next()) {
      throw new SecurityException("User name or password incorrect");
    }
 
    // Authenticated; proceed
  } finally {
    try {
      connection.close();
    } catch (SQLException x) {
      // Forward to handler
    }
  }

You can add verification checking for your input data for some potential threatening code inside your input parameters More about verification of data