% Introduction to SQL Injection
% Stefan Friese
% 11 April, 2024

---

# Topics

* How an SQL Injection is Created
* How to Exploit an SQL Injection
* SPOILER: How to Prevent an SQL Injection in the Next Presentation

---

## How Does it Happen

An SQL injection occurs when two things come together.

---

### Number 1

An SQL Query as a string embedded in other languages

```python
sql_query =
  cursor.execute(
    "SELECT * FROM user_data where username = 'admin' and password = 's3cur3P4ssw0rd'"
  )
```

---

### Number 2

User input is possible as a part of said SQL query

```python
sql_query =
  cursor.execute(
    "SELECT * FROM user_data where username = '%s' and password = '%s'",
    % (username, password)
  )
```

---

## How to Exploit an SQL Injection

* Close the string through an ending quote
* Continue the query with your own SQL code

---

# The End

<img src="./images/exploits_of_a_mom.png" alt="Convoluted Code" width="50%" height="auto%">