An SQL Injection attack is when an attacker uses a URL parameter to manipulate your database and thereby gain access to your site.
You are also at serious risk of becoming a victim of an SQL Injection attack if you are currently utilizing a standard Transact SQL, because it’s very easy for an attacker to type in a rogue code into your query to gain access to your data and information.
To stop this from happening to you, you need to use a parameterized query, which is simple to implement as most web languages have it.
For instance, a common query would look like this:
“SELECT * FROM table WHERE column – ‘ “ + parameter + “ ‘ ; “
To prevent an attacker from adding a query to the end of this statement, you will need to parameterize it.
You can do this by changing it to look like this:
$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’); $stmt->execute(array(‘value’ => $parameter));
