​ SQL  in Web Pages In the previous chapters, you have learned to retrieve (and update) database data, using SQL. When SQL is used to display data on a web page, it is common to let web users input their own search values. Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically change SQL statements to provide the user with selected data: Server Code txtUserId  =  getRequestString (" UserId "); txtSQL  = "SELECT * FROM Users WHERE  UserId = " +  txtUserId ; The example above, creates a select statement by adding a variable (txtUserId) to a select string. The variable is fetched from the user input (Request) to the page. The rest of this chapter describes the potential dangers of using user input in SQL statements. SQL Injection SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and com...