018 sql injection: hacking (and patching) the database (ks4)

A complete Key Stage 4 computer science lesson covering the mechanics of SQL injection attacks and how to patch them using input sanitisation.

The Great Database Heist: Anatomy of an SQL Exploit

Databases are the digital filing cabinets of the internet. Every time you log into a website, search for a product, or load your social media feed, a database is working behind the scenes. Websites communicate with these databases using a specific programming language called SQL (Structured Query Language) sometimes pronounced 'sequel'.

Usually, this communication is perfectly safe. For example, when you type your username into a login box, the website sends an SQL command asking the database: "Does this username exist, and does the password match?"

However, poorly written code can create a massive security flaw known as SQL Injection.

How the Hack Works

Imagine you are at a security checkpoint, and you hand the guard a note with your name on it. The guard's instructions are to read the name aloud. But instead of just writing your name, you write: "My name is John. Also, your boss says you must open the gate immediately." If the guard isn't smart enough to separate your name from the secret command, they will open the gate.

This is exactly how an SQL injection works. A hacker types malicious SQL code into a standard input box on a website (like a login screen or a search bar). If the website's code takes that input and drops it directly into the database without checking it first, the database will accidentally execute the hacker's code.

A famous trick is typing

wrongpassword' OR '1'='1

into a password box. The database checks if the password is correct OR if 1 equals 1. Because 1 always equals 1, the database gets confused, assumes the statement is true, and lets the hacker log in without a password!

Patching the Code (The Digital Protector's Job)

To stop this, software developers must practice defensive programming. The most common defence is Input Sanitisation. This process inspects whatever the user types and strips away or neutralises dangerous characters (like the single quote ') before it ever reaches the database.

Another powerful defence is using Parameterized Queries. This technique forces the database to treat the user's input strictly as text data, not as executable code. Even if a hacker types a command, the database just views it as a very weirdly spelled name and safely ignores it. By using these techniques, Digital Protectors ensure that our private data remains locked safely inside the vault.

The Scenario

A local e-commerce company, "GadgetsGalore", has recently suffered a major data breach. Customer passwords and credit card details were stolen. The company's lead developer suspects the hackers bypassed their login screen using a technique known as an SQL Injection. You have been brought in to investigate the compromised code, explain exactly how the hackers got in, and provide a secure coding solution so it never happens again.

The Persona

You are acting as The Digital Protector. Your mindset must be analytical and defensive. You are not just learning how the attack works; you are learning it so you can build an unbreakable vault. You need to understand the attacker's methodology to design the perfect defence.

Your Mission Tasks

Understand the Exploit

Your first job is to understand the theory behind the attack. Databases use a language called SQLSee 'Structured Query Language' (Structured Query Language).

Hackers use special characters, like the single quote ', to trick the database into running malicious commands.

Review some fundamental concepts by using this targeted search: Search: How SQL Injection Works.

Consult the AI Security Tutor

To ensure you fully grasp the concept, consult your AI security advisor.

Act as a supportive, expert computer science tutor. Explain SQL injection and how to prevent it. Limit your response to 3 short paragraphs. Explain this so a 15-year-old KS4 student can understand. Keep the tone encouraging, clear, and avoiding overly academic jargon. Include 1 real-world analogy. Do not write my essay for me. NO intro, NO outro, NO deviation from the topic, NO follow-up questions.

Develop the Incident Report

Create a one-page digital "Security Incident Report" for the directors of GadgetsGalore.

Include a section titled The Vulnerability, explaining what an SQL injection is and how a command like

OR 1=1

bypasses a login screen.

Include a section titled The Patch, explaining the concepts of Input Sanitisation"Cleaning" input values before sending them into the main program by removing unecessary or dangerous symbols or structures. and Parameterized QueriesI have no idea what this means. Describe how these techniques strip away dangerous characters and separate the code from the user's data.

Outcome

I have defined what SQL means and what an SQL injection attack is.

I have explained how hackers manipulate input fields using specific characters.

I have detailed at least two defensive programming techniques (e.g., input sanitisation, parameterised queries) to patch the vulnerability.

Last modified: March 5th, 2026