AQA GCSE CSPaper 2 · Unit 6Lesson 6

Paper 2 · Unit 6 · CS-L6-06

SQL Injection

60 minutes · AQA 8525 · Paper 2 — Cyber security

Spec & Goals 3 min

AQA Spec 3.6.1.1 — SQL injection (a cyber security threat)

By the end of this lesson you can:

  1. Describe what an SQL injection attack is.
  2. Explain how entering SQL into an input box can damage a database.
  3. State how to defend against it (validation / sanitising input).

Warm-Up 5 min

Websites send your input to a database using SQL commands (you'll learn SQL fully in Unit 7). If the site doesn't check that input carefully, an attacker can sneak in their own SQL.

Quick starter

A login box expects a username. What might go wrong if someone types ' OR '1'='1 instead of a name?

Reveal the idea

That text can change the meaning of the database query so the condition is always true — potentially logging the attacker in without a password. That's SQL injection.

Key Concept — injecting commands 14 min

SQL injection is entering SQL commands into an input box (e.g. a login or search field) on a website, so that the malicious SQL runs against the database.

Why it works

The website builds an SQL query by joining fixed SQL with whatever the user typed. If the input isn't checked, the user's text becomes part of the command.

A normal login might build:

SELECT * FROM users
WHERE username = 'aisyah' AND password = 'p@ss';

But if the attacker types ' OR '1'='1 as the username, the query can become:

SELECT * FROM users
WHERE username = '' OR '1'='1' AND password = '';

Because '1'='1' is always true, the WHERE test passes and the attacker may be let in, or shown every user's record.

How to defend against it

  • Validate / sanitise input — reject or escape characters like ' and SQL keywords.
  • Parameterised queries — keep the user's input as data, never as part of the command.
  • Least privilege — the website's database account can only do what it needs.

Worked Example — read the attack 12 min

Problem: A search box runs SELECT * FROM products WHERE name = '[input]';. Show what a malicious input could do, and how to stop it.

Attacker types:

'; DROP TABLE products; --

The query the site builds becomes:

SELECT * FROM products WHERE name = '';
DROP TABLE products; --';
  • The first statement runs harmlessly.
  • DROP TABLE products; then deletes the whole products table.
  • -- comments out the rest, so the query doesn't error.

Defence: validate/sanitise the input (reject the ' and ; / use a parameterised query), so the text is treated only as a product name to search for — never as SQL.

Try It Yourself 12 min

🟢 Easy

Goal: Describe, in one sentence, what an SQL injection attack is.

🟡 Medium

Goal: Explain why a website is vulnerable if it does not check user input.

🔴 Stretch

Goal: A login form is vulnerable to SQL injection. Describe two ways the developer could secure it.

Hint: validation, and how the query is built.

📝 Exam Practice 10 min

Describe[2 marks]

Describe what is meant by an SQL injection attack.

Mark scheme
  • Entering SQL code into a website input field (1).
  • Which is then run by the database to access / change / destroy data (1).
Explain[2 marks]

Explain how an SQL injection attack could let someone log in without a valid password.

Mark scheme
  • The injected SQL changes the WHERE condition so it is always true (1).
  • So the check passes / a matching record is returned and access is granted (1).
State[1 mark]

State one way a programmer can protect a website against SQL injection.

Mark scheme
  • Validate / sanitise the input (accept: use parameterised queries) (1).

Recap & Key Terms 3 min

SQL injection puts SQL code into an input box so the database runs it. It works when a site trusts unchecked input, and can read, change or delete data. Defend by validating/sanitising input and using parameterised queries so input is treated as data, not commands.

SQL injection
Entering SQL into a website input field so the database runs it, to view, change or destroy data.
Input validation
Checking that input is acceptable before use — a key defence against injection.
Sanitising input
Removing or escaping dangerous characters so input cannot be run as SQL.
Parameterised query
A query where user input is passed as data, never as part of the SQL command.

Homework 1 min

Task (≤ 15 min): A canteen ordering site lets students type their name, which is dropped straight into an SQL query. Explain the risk and recommend two fixes.

Model answer

Because the name is placed directly into the SQL, a student could type SQL code instead of a name (SQL injection) to read other students' data or delete records. Fixes: (1) validate/sanitise the input to remove characters like ' and ;; (2) use parameterised queries so the input is always treated as data, not commands. Also accept: limit the database account's privileges.

Award marks for: risk identified as SQL injection (1); harm described (1); two valid fixes (2).