SQL injection is currently the most common form of web site attack in that web forms are very common, often they are not coded properly and the hacking tools used to find weaknesses and take advantage of them are commonly available online. This kind of exploit is easy enough to accomplish that even inexperienced hackers can accomplish mischief. However, in the hands of the very skilled hacker, a web code weakness can reveal root level access of web servers and from there attacks on other networked servers can be accomplished.
Structured Query Language (SQL) is the nearly universal language of databases that allows the storage, manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro and these databases are equally subject to SQL injection attack.
Hackers Use Sql Injection Vulnerablity To Dump A Databases.
Web based forms must allow some access to your database to allow entry of data and a response, so this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might provide access to your data by means of SQL injection if coded incorrectly.
What is SQL injection?
The Wikipedia article on SQL injection reads:
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution.
SQL Injection is a web-based attack used by hackers to steal sensitive information from organizations through web.
The underlying fact that allows for SQL injection is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.
For example, let’s consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt.
Here is a typical example:
select * from users where username="admin" and password='admin123′;
If the attacker knows the username of the application administrator is admin, he can log in as admin without supplying any password.
admin'–
The query in the back-end looks like:
Select * from users where username="admin"–' and password='xxx';
Note the comment sequence (–) causes the followed query to be ignored, so query executed is equivalent to:
Select * from users where username="admin";So password check is bypassed.
This Post Is A Basic Of Sql Injection More Sql related Articles Coming Soon.