How can I explain SQL injection without technical jargon?

Stack Exchange network consists of 182 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.

I need to explain SQL injection to someone without technical training or experience. Can you suggest any approaches that have worked well?

Imagine you're a robot in a warehouse full of boxes. Your job is to fetch a box from somewhere in the warehouse, and put it on the conveyor belt. Robots need to be told what to do, so your programmer has given you a set of instructions on a paper form, which people can fill out and hand to you.

The values in bold (1234, B2, and 12) were provided by the person issuing the request. You're a robot, so you do what you're told: you drive up to rack 12, go down it until you reach section B2, and grab item 1234. You then drive back to the conveyor belt and drop the item onto it.

Leave a Comment