Notes:

• A very quick intro to SQL
• What does this and this have to do with SQL Injection?
• Examples below will not work on this domain.

SQL Injection

• The underlying schema
• The page we went through for the SQL injection demo
• The form on the above page was calling siMailLogin.php The issue in this script is the construction of a SQL query with users input.
• Don't give away hints: No errors, etc. sent back to the attacker.
• Know your inputs: To mitigate this problem, check your inputs (remember, better to look for good inputs and reject the rest VS look for bad and accept the rest).
  White listing: Accept good inputs, reject the rest.
  Black listing: Reject bad inputs, accept the rest. White listing is better.
• Even better: use a prepared statement as in siMailLoginSecure.php. Prepared statements are sent to the database as parameterized queries. The database parses the parameterized query and then waits for parameters to be sent. When parameters are sent, they are filled in to the parse tree for the query. There is no ambiguity about the role of the parameters.