Lesson Plan Title: Add Data with SQL

Concept / Topic To Teach:
SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack.

Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.

It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.

General Goal(s):
The form below allows a user to view salaries associated with a userid (from the table named salaries). This form is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to add a record to the table.


In this lesson, we will use the INSERT query, which uses the format:
INSERT INTO table VALUES (value1, value2);

In this case, the salaries table has two relevant columns: column 1 is userid, and column 2 is salary. We will use the command:
INSERT INTO salaries VALUES ('rlupin',140000);

This, however, will not work correctly. We are inserting this in between two single quotes in the command:
SELECT * FROM salaries WHERE userid='userid';

If we treated this lesson as we have treated the previous one, our command would look like this:
SELECT * FROM salaries WHERE userid='whatever'; INSERT INTO salaries VALUES ('rlupin',150000);'

The statement cannot end with a single quote after the semicolon, so we must comment out the quote using --.
To complete this lesson, type the following into the field and press go:
whatever'; INSERT INTO salaries VALUES ('rlupin',140000);--

If you then search for the userid rlupin, you will see there is new record.

New employee record after using an INSERT query.