== Try It!   String SQL Injection

The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating strings making it susceptible to String SQL injection: 

------------------------------------------------------------
"select USERID, FIRST_NAME, LAST_NAME, CC_NUMBER, CC_TYPE, COOKIE, LOGIN_COUNT from users where LOGIN_COUNT > 0 and FIRST_NAME = ‘" + userName + "'";
------------------------------------------------------------

Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name to get the complete list.