Inline Queries SQL Injection (SQLi)

By
Manieendar Mohan
Published on
04 Jul 2018
Vulnerability
SQL Injection

When a string is written in the code instead of in a table in the database, it is referred to as “inline SQL”. The best way is to use string objects to build a query based on user input from the front end. Inline SQL exposes the command to SQL injection. The outcome can have catastrophic repercussions on the server including massive data breach.

Example

The below code is an example of an inline structure.

        $query = 'select usrnme, passwrd from User where user_id='. $_POST['user_id'];

    

Here user_id is taken from the textbox. This technique leaves the door open for attackers to attack. Using this query with SQLi, an attacker could potentially gain access to the administrator’s credentials.

Impact and Fixes

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment