SQL Injection Suppose query is constructed using "select from instructor where name ='"name +"' Suppose the user,instead of entering a name,enters: X'or'Y'='Y then the resulting statement becomes: "select from instructor where name='"+"X'or 'Y'=YI +"' which is: select from instructor where name ='X'or 'Y'='Y' User could have even used X';update instructor set salary salary 10000;-- Prepared stament internally uses: "select from instructor where name ='X\'or ''=I'Y' Always use prepared statements,with user inputs as parameters Database System Concepts-6th Edition 5.12 @Silberschatz,Korth and SudarshanDatabase System Concepts - 6 5.12 ©Silberschatz, Korth and Sudarshan th Edition SQL Injection Suppose query is constructed using "select * from instructor where name = ’" + name + "’" Suppose the user, instead of entering a name, enters: X’ or ’Y’ = ’Y then the resulting statement becomes: "select * from instructor where name = ’" + "X’ or ’Y’ = ’Y" + "’" which is:  select * from instructor where name = ’X’ or ’Y’ = ’Y’ User could have even used  X’; update instructor set salary = salary + 10000; -- Prepared stament internally uses: "select * from instructor where name = ’X\’ or \’Y\’ = \’Y’ Always use prepared statements, with user inputs as parameters