SQL Injection

SQL Injection (SQLi) ek bahut hi common aur khatarnak web security vulnerability hai. Isme attacker web application ke input fields (jaise login form, search bar) me malicious SQL code "inject" kar deta hai.

Agar application aache se secure nahi hai, to database uss malicious code ko ek valid query ki tarah chala deta hai, jisse attacker database ka poora control le sakta hai.

Example: Login Bypass

Maan lo ek website ka login query aise likha hai: "SELECT * FROM users WHERE username = '" + user_input + "';"

Attacker username field me yeh daalega: ' OR '1'='1

Final query ban jayegi: SELECT * FROM users WHERE username = '' OR '1'='1';

Kyunki '1'='1' hamesha TRUE hota hai, isliye WHERE clause hamesha true ho jayega aur attacker bina password ke login kar jayega.

Prevention (Kaise Rokein)

• Prepared Statements (Parameterized Queries): Yeh sabse best tareeka hai. Isme query ka template aur user input alag-alag bheje jaate hain, isliye database input ko code nahi samajhta.
• Input Validation: User se aa rahe har input ko aache se check karna ki usme koi special characters (', ;, --) to nahi hain.
• Using ORMs: Object-Relational Mapping libraries (jaise Hibernate, Django ORM) by default SQL injection se bachate hain.