Query Construction and Vulnerability Points

Traditional query construction often involves string concatenation, where developers build SQL statements by combining static query templates with user input. This approach seems intuitive and works correctly with benign input, leading many developers to overlook its critical security flaw. Consider this PHP example:

$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($connection, $query);

This code appears functional but contains a severe vulnerability. When a user provides normal input like john and secretpass, the query executes as intended. However, an attacker entering admin' OR '1'='1 as the username and anything as the password creates:

SELECT * FROM users WHERE username = 'admin' OR '1'='1' AND password = 'anything'

Since '1'='1' is always true, this query returns all users, potentially granting unauthorized access.