freeCodeCamp/guide/english/sql/sql-injection/index.md

---
title: SQL Injection
---
## SQL Injection
SQL injection is a malicious technique that is meant to compromise or destroy databases. It is one of the most common web-hacking techniques.

SQL injection is performed by placing malicious code in SQL statements via an input. 

The following example is a code snippet that will retrieve a user from a database based on an `AccountId`.

```
passedInAccountId = getRequestString("AccountId");
sql = "select * from Accounts where AccountId = " + passedInAccountId;
```

SQL injection can be used to compromise this code by injecting a `1=1;` statement for `AccountId`.

`https://www.foo.com/get-user?AccountId="105 OR 1=1;"`

`1=1` will always evaluate to `TRUE`. This will cause the executed code to output all of the Accounts table.
fix: change directory structure 2018-10-12 19:37:13 +00:00			`---`
			`title: SQL Injection`
			`---`
			`## SQL Injection`
			`SQL injection is a malicious technique that is meant to compromise or destroy databases. It is one of the most common web-hacking techniques.`

			`SQL injection is performed by placing malicious code in SQL statements via an input.`

			The following example is a code snippet that will retrieve a user from a database based on an `AccountId`.

			```
			`passedInAccountId = getRequestString("AccountId");`
			`sql = "select * from Accounts where AccountId = " + passedInAccountId;`
			```

			SQL injection can be used to compromise this code by injecting a `1=1;` statement for `AccountId`.

			`https://www.foo.com/get-user?AccountId="105 OR 1=1;"`

			`1=1` will always evaluate to `TRUE`. This will cause the executed code to output all of the Accounts table.