Security - GCSE CS
SQL Injection Demo
See how SQL injection attacks work and how parameterised queries stop them. Switch between Vulnerable and Protected modes to compare.
Vulnerable - no input sanitisation
Mock login form
SQL query being executed
This is the query the server runs. Red text shows where your input is inserted.
Common injection attacks - click to try
Key exam concepts
What is SQL injection?
An attack where malicious SQL code is inserted into an input field. If the application concatenates user input directly into a SQL query, the attacker's code becomes part of the query and is executed by the database.
Why is it dangerous?
An attacker can bypass authentication, read all records from a database, delete or modify data, or in some configurations execute operating system commands - all without knowing a valid password.
How is it prevented?
Parameterised queries (also called prepared statements) keep SQL code and user input completely separate. The database engine handles input as data only, so it can never be interpreted as SQL instructions.
Is this examinable?
SQL injection is a required topic at GCSE. You must be able to explain what it is, how it works, and how parameterised queries prevent it. It is treated as a cybersecurity threat.