18/66
\begin{frame}[fragile]
  \frametitle{SQL Injection}

  \vspace{-1ex}
  \begin{exampleblock}{Website with Login Screen}
    \vspace{-.5ex}
    \begin{tcenter}
    \begin{tikzpicture}
      \node (n) [anchor=east] at (0,0) {Name:};
      \node [ro=n,rectangle,draw,fill=yellow!10,minimum width=30mm,minimum height=4mm,align=left] {\sql{\alt<-2>{Maria}{\alert{Joe' --}}}};
      \node (n) [anchor=east] at (0,-5mm) {Password:};
      \node [ro=n,rectangle,draw,fill=yellow!10,minimum width=30mm,minimum height=4mm,align=left] {\sql{\alt<-2>{12345}{who cares}}};
    \end{tikzpicture}
    \end{tcenter}
    \vspace{-1ex}
  \end{exampleblock}
  
  \begin{code}{\textwidth}{Server Side SQL}
    \begin{lstlisting}[language=Java]
String userName = // name that the user has entered
String userPassword = // password that the user has entered

ResultSet rs = stat.executeQuery(
                      "SELECT balance FROM accounts " +
                      "WHERE name = '" + userName + "'" + 
                      "  AND passwd = '" + userPassword + "'"
                    );
    \end{lstlisting}
  \end{code}
  \pause\vspace{-2ex}
  
  \begin{code}{\textwidth}{The Resulting SQL Query}
    \sql{SELECT balance FROM accounts}\\
    \alt<-3>{\sql{WHERE name = 'Maria' AND passwd = '12345'}}
    {\sql{WHERE name = 'Joe' \textcolor{gray}{-- ' AND passwd = 'who cares'}}}
  \end{code}
  \pause\pause
  \begin{alertblock}{}
    \alert{SQL injection} is a very common mistake! Very dangerous!
  \end{alertblock}
\end{frame}