SQL Injection Malicious query input: Phonebook Record Manager SELECT FROM phonebook WHERE Username John’0R1=1 username John OR 1=1-'AND password ='not needed' Password not needed Submit Everything after--is ignored! Application Server Web browser Database User Input SQL Query Web Page Result Set All phonebook entries are displayed 44 SQL Injection  Malicious query input: All phonebook entries are displayed Web browser Application Server Database User Input SQL Query Web Page Result Set SELECT * FROM phonebook WHERE username = ‘John’ OR 1=1 --’ AND password = ‘not needed’ Everything after -- is ignored! Phonebook Record Manager John ’ OR 1=1 -- not needed Username Password Submit