SQL injection attacks are a special case of a more general type of attack.
Whenever a program, be that an Android app, a web server, or some other kind of system, takes input from the outside world, an attacker may try to exploit this to attack the system.
By carefully crafting a malicious input, an attacker may be able to get the system to do something that the designer did not intend. This could involve access to sensitive data, but equally it could result in real physical damage, or possibly even serious injuries or fatalities (remember the Jeep Cherokee hack in week 1!).
It is therefore vitally important that a program always:
carefully checks all inputs for dangerous values, or
enforces strong restrictions on how the inputs are used.
The parameterised query that we used to fix BuggyTheApp is an example of the latter approach.
Enforcing strong restrictions on how user inputs are used is the preferred solution, as correctly filtering out dangerous values can be hard to get right and error prone.
© University of Southampton 2017