\begin{frame}[fragile] \frametitle{SQL Injection} \vspace{-1ex} \begin{exampleblock}{Website with Login Screen} \vspace{-.5ex} \begin{tcenter} \begin{tikzpicture} \node (n) [anchor=east] at (0,0) {Name:}; \node [ro=n,rectangle,draw,fill=yellow!10,minimum width=30mm,minimum height=4mm,align=left] {\sql{\alt<-2>{Maria}{\alert{Joe' -\,-}}}}; \node (n) [anchor=east] at (0,-5mm) {Password:}; \node [ro=n,rectangle,draw,fill=yellow!10,minimum width=30mm,minimum height=4mm,align=left] {\sql{\alt<-2>{12345}{who cares}}}; \end{tikzpicture} \end{tcenter} \vspace{-1ex} \end{exampleblock} \begin{code}{\textwidth}{Server Side SQL} \begin{lstlisting}[language=Java] String userName = // name that the user has entered String userPassword = // password that the user has entered ResultSet rs = stat.executeQuery( "select balance from accounts " + "where name = '" + userName + "'" + " and password = '" + userPassword + "'" ); \end{lstlisting} \end{code} \pause\vspace{-2ex} \begin{code}{\textwidth}{The Resulting SQL Query} \sql{select balance from accounts}\\ \alt<-3>{\sql{where name = \textquotesingle{}Maria\textquotesingle{} and password = \textquotesingle{}12345\textquotesingle{}}} {\sql{where name = \textquotesingle{}Joe\textquotesingle{} \textcolor{gray}{-\,- \textquotesingle{} and password = \textquotesingle{}who cares\textquotesingle{}}}} \end{code} \pause\pause \begin{alertblock}{} \alert{SQL injection} is a very common mistake! Very dangerous! \end{alertblock} \end{frame}