How do I explain SQL injection to non-technical people (program apes)?

The first two days to see the blog Park News, there is an article called "How can I explain SQL injection to non-technical people?" "(http://kb.cnblogs.com/page/515151/). is written by a foreigner, Bole online translator. I looked at it and thought it was easy to understand, and for anyone who didn't know how to write a program or a database SQL language, understanding should be fine.

This morning to work on the subway, see a joke (forgive a program ape look and programming technology unrelated website behavior), laughed after the mind suddenly jumped out of the words "SQL injection"! Let's take a copy of that joke first, let's relax:

A friend is to send Courier, one day to send express to others downstairs, the buyer's name called "Monkey Please come to the tease", call asked: "I ask you are monkeys please come to the tease?" Listen to the phone only to hear a roar: You are the tease, your family is a tease! Brother had to send a text message that is sent in your home downstairs, not two minutes, the buyer down, said: That, I was the monkey invited to the tease.

I don't know what other program apes think about this joke, but I think it's just too apt to use this example of life to understand SQL injection.

The

Passes SQL statements to the database in the program, is passed as a string, and the database gets the full SQL statement string for parsing execution. For example, if the buyer in the joke is called Zhang San, The Courier will call and ask: Are you Zhang San, please? The Courier is the terminal, he sent the SQL string to the buyer, the buyer to "Excuse me, are you Zhang San?" "To perform the parsing, it was found that this was asking him if he was named Zhang San, and then judged the result of the execution-I am/I am not." And the joke of the buyer actually called "Monkey Please come to the tease", this is the buyer did not make the SQL statement parameterized query, will still be the name of the buyer splicing to the "ask you are" after, and will be the entire SQL string sent to the seller, the buyer to "ask you is monkey please come to the tease?" "Parse execution, wrongly understood as" excuse me, are you kidding? And it's a monkey's call. This causes the courier to express the meaning, and the buyer understood that the meaning of inconsistent situation arises. Why is it? Because part of the name (and most of the previous part) and "Ask you is" This execution action can combine to produce new execution action semantics, resulting in the original execution action semantics being changed into new execution action semantics, which ultimately makes the buyer's execution result "you are the tease, your whole family is the tease", It's not what The courier wants. "I am/I am not" (I do not know if I say this is not in line with the definition of words in the language).

Later thought of the parameterized query, the basic way to prevent SQL injection. In fact, the above joke if the third sentence "buyer name" Monkey please come to the tease than "", I want you to see "... Your whole family is a tease! "Here, and don't feel anything wrong. Because the semantics we understand are the same as the semantics that buyers understand, they are different from the semantics expressed by couriers. And this joke triggered the premise of laughter point is the third sentence, it is the role of parametric query. When we see the courier call the question, our understanding is "ask you is the name of the monkey invited to the tease" buyer? "and understand as" are you a buyer? And your name is "The Monkey invites the tease", this semantics is consistent with the meaning that The courier wants to express. The parameterized query for SQL statements also serves as a simple example: SELECT * from users where user_name= ' xxx '. When the terminal generates this SQL string, the semantics it wants to express is to look up user records from the user table that the user name is XXX. If you do not use parameterized queries and are injected with SQL as "a ' or 1=1--", replace xxx with the SQL string for select * from users where user_name= ' a ' or 1=1--', In this case, the semantics of the database parsing becomes the query from the user table of user name A or 1=1 all user records and ignore the subsequent string, the semantics of database parsing is obviously inconsistent with the semantics of the terminal to express, The execution result that causes the database to return to the terminal is not the execution result that the terminal wants to perform (or the execution result that the program Ape expects to return). With parameterized queries it becomes this: select * from users where [email protected] (@username = "A ' or 1=1--"), The semantics of database parsing is to look for user records from the user table that store values in the user name @username variable, @username the value of the variable is a ' or 1=1--, obviously normally, no one's user is named this, and therefore does not return the wrong execution result. In this way, SQL statement parameterized query for the purpose of anti-SQL injection, in fact, there are similar situations in life, such as the above joke, if you have a consistent view with me, in the future can also use the above example of life to non-technical people to explain SQL injection of this professional noun.

Finally, in fact, SQL injection is not the Chinese name, this professional noun is from the SQL injection translation, as for the foreign friends for the SQL injection of the situation why use injection this word expression, I still do not know.

How do I explain SQL injection to a non-technical person (program ape)?