- SQL injection: SQL injection is a code injection that might destroy your database. For example if there is an input box in the form
name
and buttonSearch
. When we click search button we send name parameter to the back-end and back-end executes a query like'SELECT * from user WHERE name=' + name
. But when an attacker sends a string likejohn; drop user
, the query drops the entire user table.
Most ORMS already prevent this kind of attack so we don’t need to worry when we use ORMs. But if we use raw SQL queries (for example for query optimization purpose), we should consider about this attack. - Cross Site Scripting (XSS) attack
The example of XSS attack is as following.
Let’s say there is an input box ‘name’ and search button. When we click search, we send name to the back-end and back-end returns list of users to the front-end. Front-end displays a string likeSearch result for name <name>
as well as the list of users. But when an attacker input a string like<script> alert('I am hack'); </script>
, this script is executed instead of being displayed on the page. This means hacker is able to execute any kind of Javascript code. To prevent this attack, we can sanitize any string in the input box. So that the<script>
can be<script>